diff --git a/0001-2155-Use-reference-in-loop-in-listpodsandbox.patch b/0001-2155-Use-reference-in-loop-in-listpodsandbox.patch deleted file mode 100644 index 78f5813..0000000 --- a/0001-2155-Use-reference-in-loop-in-listpodsandbox.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 8dacc4a2740ed3ba99fab88324c50fa37274297d Mon Sep 17 00:00:00 2001 -From: xuxuepeng -Date: Tue, 29 Aug 2023 11:50:52 +0000 -Subject: [PATCH 01/32] !2155 Use reference in loop in listpodsandbox * Use - reference in loop in listpodsandbox - ---- - src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc -index 33b700f3..687f4e6d 100644 ---- a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc -+++ b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc -@@ -739,7 +739,7 @@ void PodSandboxManagerService::ListPodSandbox(const runtime::v1::PodSandboxFilte - - sandbox::SandboxManager::GetInstance()->ListAllSandboxes(filter, sandboxes); - -- for (const auto sandbox : sandboxes) { -+ for (const auto &sandbox : sandboxes) { - std::unique_ptr pod(new runtime::v1::PodSandbox); - - pod->set_id(sandbox->GetId()); --- -2.25.1 - diff --git a/0001-sandbox-del-m_containers-and-m_containersMutex.patch b/0001-sandbox-del-m_containers-and-m_containersMutex.patch new file mode 100644 index 0000000..84c3455 --- /dev/null +++ b/0001-sandbox-del-m_containers-and-m_containersMutex.patch @@ -0,0 +1,347 @@ +From d1aa4166d8ce7f3db83ff1ffbd54b796943233b3 Mon Sep 17 00:00:00 2001 +From: liuxu +Date: Tue, 24 Oct 2023 16:19:15 +0800 +Subject: [PATCH 01/14] sandbox:del m_containers and m_containersMutex + +--- + .../v1/v1_cri_container_manager_service.cc | 30 ----- + .../cri/v1/v1_cri_container_manager_service.h | 1 - + .../v1/v1_cri_pod_sandbox_manager_service.cc | 103 +++++++++++++++--- + .../v1/v1_cri_pod_sandbox_manager_service.h | 7 +- + src/daemon/sandbox/sandbox.cc | 31 ------ + src/daemon/sandbox/sandbox.h | 7 -- + 6 files changed, 95 insertions(+), 84 deletions(-) + +diff --git a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc +index eb19cac6..70629591 100644 +--- a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc ++++ b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc +@@ -499,7 +499,6 @@ std::string ContainerManagerService::CreateContainer(const std::string &podSandb + } + + response_id = response->id; +- sandbox->AddContainer(response_id); + + cleanup: + free_container_create_request(request); +@@ -591,37 +590,8 @@ void ContainerManagerService::StopContainer(const std::string &containerID, int6 + CRIHelpers::StopContainer(m_cb, containerID, timeout, error); + } + +-// TODO: Consider to refactor the way we handle container list in sandbox. +-// This function might be removed after that. +-void ContainerManagerService::RemoveContainerIDFromSandbox(const std::string &containerID) +-{ +- std::string realContainerID; +- std::string podSandboxID; +- Errors error; +- +- CRIHelpersV1::GetContainerSandboxID(containerID, realContainerID, podSandboxID, error); +- if (error.NotEmpty()) { +- WARN("Failed to get sandbox id for container %s: %s", containerID.c_str(), error.GetCMessage()); +- return; +- } +- +- std::shared_ptr sandbox = sandbox::SandboxManager::GetInstance()->GetSandbox(podSandboxID); +- if (sandbox == nullptr) { +- ERROR("Failed to get sandbox instance: %s for creating container", podSandboxID.c_str()); +- error.Errorf("Failed to get sandbox instance: %s for creating container", podSandboxID.c_str()); +- return; +- } +- +- sandbox->RemoveContainer(realContainerID); +-} +- + void ContainerManagerService::RemoveContainer(const std::string &containerID, Errors &error) + { +- // TODO: Refactor after adding the ability to use sandbox manager for sandboxid query +- // This will remove container id from sandbox container_list first, +- // if the following operation failed, it could cause inconsistency. +- RemoveContainerIDFromSandbox(containerID); +- + CRIHelpers::RemoveContainer(m_cb, containerID, error); + if (error.NotEmpty()) { + WARN("Failed to remove container %s", containerID.c_str()); +diff --git a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.h b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.h +index 31449170..1d210416 100644 +--- a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.h ++++ b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.h +@@ -97,7 +97,6 @@ private: + void MakeContainerConfig(const runtime::v1::ContainerConfig &config, container_config *cConfig, + Errors &error); + void CreateContainerLogSymlink(const std::string &containerID, Errors &error); +- void RemoveContainerIDFromSandbox(const std::string &containerID); + void ListContainersFromGRPC(const runtime::v1::ContainerFilter *filter, container_list_request **request, + Errors &error); + void ListContainersToGRPC(container_list_response *response, +diff --git a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc +index 901ef231..2c802900 100644 +--- a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc ++++ b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc +@@ -452,20 +452,90 @@ auto PodSandboxManagerService::GetSandboxKey(const container_inspect *inspect_da + return std::string(inspect_data->network_settings->sandbox_key); + } + +-auto PodSandboxManagerService::StopAllContainersInSandbox(const std::vector &containers, +- Errors &error) -> bool ++auto PodSandboxManagerService::GetContainerListResponse(const std::string &readSandboxID, ++ std::vector &errors) -> std::unique_ptr> + { ++ int ret = 0; ++ container_list_request *list_request { nullptr }; ++ container_list_response *list_response { nullptr }; ++ ++ if (m_cb == nullptr || m_cb->container.list == nullptr) { ++ ERROR("Unimplemented callback"); ++ errors.push_back("Unimplemented callback"); ++ return nullptr; ++ } ++ ++ // list all containers to stop ++ auto list_request_wrapper = makeUniquePtrCStructWrapper(free_container_list_request); ++ if (list_request_wrapper == nullptr) { ++ ERROR("Out of memory"); ++ errors.push_back("Out of memory"); ++ return nullptr; ++ } ++ list_request = list_request_wrapper->get(); ++ list_request->all = true; ++ ++ list_request->filters = (defs_filters *)util_common_calloc_s(sizeof(defs_filters)); ++ if (list_request->filters == nullptr) { ++ ERROR("Out of memory"); ++ errors.push_back("Out of memory"); ++ return nullptr; ++ } ++ ++ // Add sandbox label ++ if (CRIHelpers::FiltersAddLabel(list_request->filters, CRIHelpers::Constants::SANDBOX_ID_LABEL_KEY, ++ readSandboxID) != 0) { ++ std::string tmp_errmsg = "Failed to add label in sandbox" + readSandboxID; ++ ERROR(tmp_errmsg.c_str()); ++ errors.push_back(tmp_errmsg); ++ return nullptr; ++ } ++ ++ ret = m_cb->container.list(list_request, &list_response); ++ auto list_response_wrapper = makeUniquePtrCStructWrapper(list_response, free_container_list_response); ++ if (list_response_wrapper == nullptr) { ++ ERROR("Failed to call list container callback"); ++ errors.push_back("Failed to call list container callback"); ++ return nullptr; ++ } ++ if (ret != 0) { ++ if (list_response != nullptr && list_response->errmsg != nullptr) { ++ ERROR(list_response->errmsg); ++ errors.push_back(list_response->errmsg); ++ } else { ++ ERROR("Failed to call list container callback"); ++ errors.push_back("Failed to call list container callback"); ++ } ++ return nullptr; ++ } ++ ++ return list_response_wrapper; ++} ++ ++auto PodSandboxManagerService::StopAllContainersInSandbox(const std::string &readSandboxID, ++ Errors &error) -> int ++{ ++ int ret = 0; ++ std::vector errors; ++ auto list_response_wrapper = GetContainerListResponse(readSandboxID, errors); ++ if (list_response_wrapper == nullptr) { ++ error.SetAggregate(errors); ++ return -1; ++ } ++ auto list_response = list_response_wrapper->get(); ++ + // Stop all containers in the sandbox. +- for (const auto &con : containers) { ++ for (size_t i = 0; i < list_response->containers_len; i++) { + Errors stopError; +- CRIHelpers::StopContainerHelper(m_cb, con, 0, stopError); ++ CRIHelpers::StopContainerHelper(m_cb, list_response->containers[i]->id, 0, stopError); + if (stopError.NotEmpty() && !CRIHelpers::IsContainerNotFoundError(stopError.GetMessage())) { +- ERROR("Error stop container: %s: %s", con.c_str(), stopError.GetCMessage()); ++ ERROR("Error stop container: %s: %s", list_response->containers[i]->id, stopError.GetCMessage()); + error.SetError(stopError.GetMessage()); +- return false; ++ return -1; + } + } +- return true; ++ ++ return ret; + } + + auto PodSandboxManagerService::GetNetworkReady(const std::string &podSandboxID, Errors &error) -> bool +@@ -508,7 +578,7 @@ void PodSandboxManagerService::StopPodSandbox(const std::string &podSandboxID, E + // Stop all containers inside the sandbox. This terminates the container forcibly, + // and container may still be created, so production should not rely on this behavior. + // TODO: according to the state(stopping and removal) in sandbox to avoid future container creation. +- if (!StopAllContainersInSandbox(sandbox->GetContainers(), error)) { ++ if (StopAllContainersInSandbox(sandbox->GetId(), error) != 0) { + return; + } + +@@ -524,15 +594,22 @@ void PodSandboxManagerService::StopPodSandbox(const std::string &podSandboxID, E + sandbox->Stop(sandbox::DEFAULT_STOP_TIMEOUT, error); + } + +-void PodSandboxManagerService::RemoveAllContainersInSandbox(const std::vector &containers, ++void PodSandboxManagerService::RemoveAllContainersInSandbox(const std::string &readSandboxID, + std::vector &errors) + { ++ auto list_response_wrapper = GetContainerListResponse(readSandboxID, errors); ++ if (list_response_wrapper == nullptr) { ++ return; ++ } ++ ++ auto list_response = list_response_wrapper->get(); ++ + // Remove all containers in the sandbox. +- for (const auto &con : containers) { ++ for (size_t i = 0; i < list_response->containers_len; i++) { + Errors rmError; +- CRIHelpers::RemoveContainerHelper(m_cb, con, rmError); ++ CRIHelpers::RemoveContainerHelper(m_cb, list_response->containers[i]->id, rmError); + if (rmError.NotEmpty() && !CRIHelpers::IsContainerNotFoundError(rmError.GetMessage())) { +- ERROR("Error remove container: %s: %s", con.c_str(), rmError.GetCMessage()); ++ ERROR("Error remove container: %s: %s", list_response->containers[i]->id, rmError.GetCMessage()); + errors.push_back(rmError.GetMessage()); + } + } +@@ -598,7 +675,7 @@ void PodSandboxManagerService::RemovePodSandbox(const std::string &podSandboxID, + // Remove all containers inside the sandbox. + // container may still be created, so production should not rely on this behavior. + // TODO: according to the state(stopping and removal) in sandbox to avoid future container creation. +- RemoveAllContainersInSandbox(sandbox->GetContainers(), errors); ++ RemoveAllContainersInSandbox(sandbox->GetId(), errors); + if (errors.size() != 0) { + error.SetAggregate(errors); + return; +diff --git a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.h b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.h +index 48a7cf7f..2bd28007 100644 +--- a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.h ++++ b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.h +@@ -32,6 +32,7 @@ + #include "cgroup.h" + #include "sandbox.h" + #include "v1_cri_container_manager_service.h" ++#include "cstruct_wrapper.h" + + namespace CRIV1 { + class PodSandboxManagerService { +@@ -89,9 +90,11 @@ private: + Errors &error); + void ClearCniNetwork(const std::shared_ptr sandbox, Errors &error); + void StopContainerHelper(const std::string &containerID, Errors &error); +- auto StopAllContainersInSandbox(const std::vector &containers, Errors &error) -> bool; ++ auto GetContainerListResponse(const std::string &readSandboxID, ++ std::vector &errors) -> std::unique_ptr>; ++ auto StopAllContainersInSandbox(const std::string &readSandboxID, Errors &error) -> int; + auto GetNetworkReady(const std::string &podSandboxID, Errors &error) -> bool; +- void RemoveAllContainersInSandbox(const std::vector &containers, std::vector &errors); ++ void RemoveAllContainersInSandbox(const std::string &readSandboxID, std::vector &errors); + void ClearNetworkReady(const std::string &podSandboxID); + auto SharesHostNetwork(const container_inspect *inspect) -> runtime::v1::NamespaceMode; + auto SharesHostPid(const container_inspect *inspect) -> runtime::v1::NamespaceMode; +diff --git a/src/daemon/sandbox/sandbox.cc b/src/daemon/sandbox/sandbox.cc +index ece28f4d..c8fd30be 100644 +--- a/src/daemon/sandbox/sandbox.cc ++++ b/src/daemon/sandbox/sandbox.cc +@@ -135,12 +135,6 @@ auto Sandbox::GetRuntimeHandle() const -> const std::string & + return m_runtimeInfo.runtimeHandler; + } + +-auto Sandbox::GetContainers() -> std::vector +-{ +- ReadGuard lock(m_containersMutex); +- return m_containers; +-} +- + auto Sandbox::GetSandboxConfig() const -> const runtime::v1::PodSandboxConfig & + { + return *m_sandboxConfig; +@@ -409,27 +403,6 @@ void Sandbox::RemoveLabels(const std::string &key) + m_sandboxConfig->mutable_labels()->erase(key); + } + +-void Sandbox::AddContainer(const std::string &id) +-{ +- WriteGuard lock(m_containersMutex); +- m_containers.push_back(id); +-} +- +-void Sandbox::SetConatiners(const std::vector &cons) +-{ +- WriteGuard lock(m_containersMutex); +- m_containers = cons; +-} +- +-void Sandbox::RemoveContainer(const std::string &id) +-{ +- WriteGuard lock(m_containersMutex); +- auto it = std::find(m_containers.begin(), m_containers.end(), id); +- if (it != m_containers.end()) { +- m_containers.erase(it); +- } +-} +- + void Sandbox::UpdateNetworkSettings(const std::string &settingsJson, Errors &error) + { + if (settingsJson.length() == 0) { +@@ -1009,8 +982,6 @@ auto Sandbox::LoadMetadata(Errors &error) -> bool + m_networkReady = metadata->get()->network_ready; + m_taskAddress = std::string(metadata->get()->task_address); + m_netNsPath = std::string(metadata->get()->net_ns_path); +- Transform::CharArrayToStringVector((const char **)metadata->get()->containers, +- util_array_len((const char **)metadata->get()->containers), m_containers); + + ret = google::protobuf::util::JsonStringToMessage(metadata->get()->sandbox_config_json, &config).ok(); + if (!ret) { +@@ -1120,8 +1091,6 @@ void Sandbox::FillSandboxMetadata(sandbox_metadata* metadata, Errors &error) + metadata->task_address = util_strdup_s(m_taskAddress.c_str()); + metadata->net_ns_path = util_strdup_s(m_netNsPath.c_str()); + +- metadata->containers = Transform::StringVectorToCharArray(m_containers); +- + google::protobuf::util::MessageToJsonString(*m_sandboxConfig.get(), &jsonStr); + if (jsonStr.length() == 0) { + error.Errorf("Failed to get sandbox config json for sandbox: '%s'", m_id.c_str()); +diff --git a/src/daemon/sandbox/sandbox.h b/src/daemon/sandbox/sandbox.h +index 13ee4958..20a8e338 100644 +--- a/src/daemon/sandbox/sandbox.h ++++ b/src/daemon/sandbox/sandbox.h +@@ -104,7 +104,6 @@ public: + auto GetCreatedAt() -> uint64_t; + auto GetPid() -> uint32_t; + auto GetTaskAddress() const -> const std::string &; +- auto GetContainers() -> std::vector; + auto GetImage() -> const std::string &; + void SetNetMode(const std::string &mode); + void SetController(std::shared_ptr controller); +@@ -112,9 +111,6 @@ public: + void RemoveAnnotations(const std::string &key); + void AddLabels(const std::string &key, const std::string &value); + void RemoveLabels(const std::string &key); +- void AddContainer(const std::string &id); +- void SetConatiners(const std::vector &cons); +- void RemoveContainer(const std::string &id); + void UpdateNetworkSettings(const std::string &settingsJson, Errors &error); + auto UpdateStatsInfo(const StatsInfo &info) -> StatsInfo; + void SetNetworkReady(bool ready); +@@ -203,9 +199,6 @@ private: + bool m_networkReady; + std::string m_networkSettings; + std::string m_image; +- // container id lists +- std::vector m_containers; +- RWMutex m_containersMutex; + // TOOD: m_sandboxConfig is a protobuf message, it can be converted to json string directly + // if save json string directly for sandbox recover, we need to consider hot + // upgrade between different CRI versions +-- +2.42.0 + diff --git a/0002-2156-Fix-sandbox-error-logging.patch b/0002-2156-Fix-sandbox-error-logging.patch deleted file mode 100644 index 7f4d9e5..0000000 --- a/0002-2156-Fix-sandbox-error-logging.patch +++ /dev/null @@ -1,28 +0,0 @@ -From cc6302549b722a5c309c90794afe27b2e7e7b29e Mon Sep 17 00:00:00 2001 -From: xuxuepeng -Date: Tue, 29 Aug 2023 13:18:13 +0000 -Subject: [PATCH 02/32] !2156 Fix sandbox error logging * Fix sandbox error - logging - ---- - src/daemon/sandbox/sandbox.cc | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/daemon/sandbox/sandbox.cc b/src/daemon/sandbox/sandbox.cc -index 2433e11b..968dae24 100644 ---- a/src/daemon/sandbox/sandbox.cc -+++ b/src/daemon/sandbox/sandbox.cc -@@ -581,8 +581,8 @@ auto Sandbox::Create(Errors &error) -> bool - - nret = util_mkdir_p(m_rootdir.c_str(), CONFIG_DIRECTORY_MODE); - if (nret != 0 && errno != EEXIST) { -- error.Errorf("Failed to create sandbox path %s", m_rootdir); -- SYSERROR("Failed to create sandbox path %s", m_rootdir); -+ error.Errorf("Failed to create sandbox path %s", m_rootdir.c_str()); -+ SYSERROR("Failed to create sandbox path %s", m_rootdir.c_str()); - return false; - } - #ifdef ENABLE_USERNS_REMAP --- -2.25.1 - diff --git a/0002-sandbox-adapt-UT-when-del-m_containers-and-m_contain.patch b/0002-sandbox-adapt-UT-when-del-m_containers-and-m_contain.patch new file mode 100644 index 0000000..97a3302 --- /dev/null +++ b/0002-sandbox-adapt-UT-when-del-m_containers-and-m_contain.patch @@ -0,0 +1,167 @@ +From 415d7dca6175136ca4c1c780f1e512fd363d01c4 Mon Sep 17 00:00:00 2001 +From: liuxu +Date: Fri, 3 Nov 2023 14:27:45 +0800 +Subject: [PATCH 02/14] sandbox:adapt UT when del m_containers and + m_containersMutex + +--- + .../design/detailed/Sandbox/sandbox_design_zh.md | 16 +--------------- + test/mocks/sandbox_mock.cc | 11 ----------- + test/mocks/sandbox_mock.h | 4 ---- + test/sandbox/sandbox/sandbox_ut.cc | 14 -------------- + 4 files changed, 1 insertion(+), 44 deletions(-) + +diff --git a/docs/design/detailed/Sandbox/sandbox_design_zh.md b/docs/design/detailed/Sandbox/sandbox_design_zh.md +index 86acd70b..109094cb 100644 +--- a/docs/design/detailed/Sandbox/sandbox_design_zh.md ++++ b/docs/design/detailed/Sandbox/sandbox_design_zh.md +@@ -99,7 +99,6 @@ auto GetNetworkSettings() -> const std::string &; + auto GetCreatedAt() -> uint64_t; + auto GetPid() -> uint32_t; + auto GetTaskAddress() const -> const std::string &; +-auto GetContainers() -> std::vector; + + // 设置和更新sandbox的变量值 + void SetNetMode(const std::string &mode); +@@ -108,9 +107,6 @@ void AddAnnotations(const std::string &key, const std::string &value); + void RemoveAnnotations(const std::string &key); + void AddLabels(const std::string &key, const std::string &value); + void RemoveLabels(const std::string &key); +-void AddContainer(const std::string &id); +-void SetConatiners(const std::vector &cons); +-void RemoveContainer(const std::string &id); + void UpdateNetworkSettings(const std::string &settingsJson, Errors &error); + auto UpdateStatsInfo(const StatsInfo &info) -> StatsInfo; + void SetNetworkReady(bool ready); +@@ -252,16 +248,12 @@ public: + auto GetCreatedAt() -> uint64_t; + auto GetPid() -> uint32_t; + auto GetTaskAddress() const -> const std::string &; +- auto GetContainers() -> std::vector; + void SetNetMode(const std::string &mode); + void SetController(std::shared_ptr controller); + void AddAnnotations(const std::string &key, const std::string &value); + void RemoveAnnotations(const std::string &key); + void AddLabels(const std::string &key, const std::string &value); + void RemoveLabels(const std::string &key); +- void AddContainer(const std::string &id); +- void SetConatiners(const std::vector &cons); +- void RemoveContainer(const std::string &id); + void UpdateNetworkSettings(const std::string &settingsJson, Errors &error); + auto UpdateStatsInfo(const StatsInfo &info) -> StatsInfo; + void SetNetworkReady(bool ready); +@@ -347,9 +339,6 @@ private: + std::string m_networkMode; + bool m_networkReady; + std::string m_networkSettings; +- // container id lists +- std::vector m_containers; +- RWMutex m_containersMutex; + // TOOD: m_sandboxConfig is a protobuf message, it can be converted to json string directly + // if save json string directly for sandbox recover, we need to consider hot + // upgrade between different CRI versions +@@ -410,9 +399,7 @@ std::string m_netNsPath; + std::string m_networkMode; + bool m_networkReady; + std::string m_networkSettings; +-// container id lists +-std::vector m_containers; +-RWMutex m_containersMutex; ++ + // TOOD: m_sandboxConfig is a protobuf message, it can be converted to json string directly + // if save json string directly for sandbox recover, we need to consider hot + // upgrade between different CRI versions +@@ -430,7 +417,6 @@ std::set m_vsockPorts; + + 1. m_mutex: 保障并发sandbox的生命周期操作(start, stop, remove) + 2. m_stateMutex:保障并发对m_state,m_statsInfo,m_networkSettings的修改与读取 +-3. m_containersMutex:保障对m_containers的并发操作 + + ## 4.2 sandbox manage 模块 + +diff --git a/test/mocks/sandbox_mock.cc b/test/mocks/sandbox_mock.cc +index ab6c2d60..e5aefdda 100644 +--- a/test/mocks/sandbox_mock.cc ++++ b/test/mocks/sandbox_mock.cc +@@ -77,14 +77,6 @@ const std::string &Sandbox::GetRuntimeHandle() const + return defaultStr; + } + +-std::vector Sandbox::GetContainers() +-{ +- if (g_sandbox_mock != nullptr) { +- return g_sandbox_mock->GetContainers(); +- } +- return defaultVec; +-} +- + const runtime::v1::PodSandboxConfig & Sandbox::GetSandboxConfig() const + { + if (g_sandbox_mock != nullptr) { +@@ -154,9 +146,6 @@ void Sandbox::AddAnnotations(const std::string &key, const std::string &value) { + void Sandbox::RemoveAnnotations(const std::string &key) {} + void Sandbox::AddLabels(const std::string &key, const std::string &value) {} + void Sandbox::RemoveLabels(const std::string &key) {} +-void Sandbox::AddContainer(const std::string &id) {} +-void Sandbox::SetConatiners(const std::vector &cons) {} +-void Sandbox::RemoveContainer(const std::string &id) {} + void Sandbox::UpdateNetworkSettings(const std::string &settingsJson, Errors &error) {} + void Sandbox::PrepareSandboxDirs(Errors &error) {} + void Sandbox::CleanupSandboxDirs() {} +diff --git a/test/mocks/sandbox_mock.h b/test/mocks/sandbox_mock.h +index 6b46dca6..341042e9 100644 +--- a/test/mocks/sandbox_mock.h ++++ b/test/mocks/sandbox_mock.h +@@ -31,7 +31,6 @@ public: + MOCK_METHOD0(GetName, const std::string & ()); + MOCK_METHOD0(GetSandboxer, const std::string & ()); + MOCK_METHOD0(GetRuntimeHandle, const std::string & ()); +- MOCK_METHOD0(GetContainers, std::vector()); + MOCK_METHOD0(GetSandboxConfig, const runtime::v1::PodSandboxConfig &()); + MOCK_METHOD0(GetMutableSandboxConfig, std::shared_ptr()); + MOCK_METHOD0(GetRootDir, const std::string & ()); +@@ -46,9 +45,6 @@ public: + MOCK_METHOD1(RemoveAnnotations, void(const std::string &key)); + MOCK_METHOD2(AddLabels, void(const std::string &key, const std::string &value)); + MOCK_METHOD1(RemoveLabels, void(const std::string &key)); +- MOCK_METHOD1(AddContainer, void(const std::string &id)); +- MOCK_METHOD1(SetConatiners, void(const std::vector &cons)); +- MOCK_METHOD1(RemoveContainer, void(const std::string &id)); + MOCK_METHOD2(UpdateNetworkSettings, void(const std::string &settingsJson, Errors &error)); + MOCK_METHOD1(UpdateStatsInfo, StatsInfo(const StatsInfo &info)); + MOCK_METHOD1(SetNetworkReady, void(bool ready)); +diff --git a/test/sandbox/sandbox/sandbox_ut.cc b/test/sandbox/sandbox/sandbox_ut.cc +index 494fb543..dd84d8fb 100644 +--- a/test/sandbox/sandbox/sandbox_ut.cc ++++ b/test/sandbox/sandbox/sandbox_ut.cc +@@ -49,7 +49,6 @@ TEST_F(SandboxTest, TestDefaultGetters) + ASSERT_STREQ(sandbox->GetRuntime().c_str(), info.runtime.c_str()); + ASSERT_STREQ(sandbox->GetSandboxer().c_str(), info.sandboxer.c_str()); + ASSERT_STREQ(sandbox->GetRuntimeHandle().c_str(), info.runtimeHandler.c_str()); +- ASSERT_EQ(sandbox->GetContainers().size(), 0); + ASSERT_STREQ(sandbox->GetRootDir().c_str(), sandbox_rootdir.c_str()); + ASSERT_STREQ(sandbox->GetStateDir().c_str(), sandbox_statedir.c_str()); + ASSERT_STREQ(sandbox->GetResolvPath().c_str(), (sandbox_rootdir + "/resolv.conf").c_str()); +@@ -85,19 +84,6 @@ TEST_F(SandboxTest, TestGettersAndSetters) + sandbox->RemoveLabels("key"); + EXPECT_TRUE(sandbox->GetSandboxConfig().labels().empty()); + +- std::string containerId = "container_id"; +- sandbox->AddContainer(containerId); +- auto Mycontainers = sandbox->GetContainers(); +- auto it = std::find(Mycontainers.begin(), Mycontainers.end(), containerId); +- EXPECT_NE(Mycontainers.end(), it); +- +- sandbox->RemoveContainer(containerId); +- EXPECT_EQ(sandbox->GetContainers().size(), 0); +- +- std::vector containers = {"container1", "container2"}; +- sandbox->SetConatiners(containers); +- EXPECT_EQ(sandbox->GetContainers(), containers); +- + StatsInfo statsInfo = {1234, 100}; + sandbox->UpdateStatsInfo(statsInfo); + EXPECT_EQ(sandbox->GetStatsInfo().timestamp, statsInfo.timestamp); +-- +2.42.0 + diff --git a/0003-2158-Use-crictl-v1.22.0-for-ci.patch b/0003-2158-Use-crictl-v1.22.0-for-ci.patch deleted file mode 100644 index d555241..0000000 --- a/0003-2158-Use-crictl-v1.22.0-for-ci.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 384940dee7ed5bcc01014520b94917f5782f996e Mon Sep 17 00:00:00 2001 -From: xuxuepeng -Date: Wed, 30 Aug 2023 03:36:45 +0000 -Subject: [PATCH 03/32] !2158 Use crictl v1.22.0 for ci * Use crictl v1.22.0 - for ci - ---- - CI/install_depends.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/CI/install_depends.sh b/CI/install_depends.sh -index ff919afe..bff825a8 100755 ---- a/CI/install_depends.sh -+++ b/CI/install_depends.sh -@@ -46,7 +46,7 @@ function make_crictl() - cd cri-tools - # crictl v1.18 cannot recognise the SecurityProfile seccomp of LinuxSandboxSecurityContext - # and the LinuxContainerSecurityContext.has_seccomp() always false -- git checkout v1.24.2 -+ git checkout v1.22.0 - make -j $nproc - echo "make cri-tools: $?" - cp ./build/bin/crictl ${builddir}/bin/ --- -2.25.1 - diff --git a/0003-Add-Readonly-Masked-Path-and-RunAsGroup-support-for-.patch b/0003-Add-Readonly-Masked-Path-and-RunAsGroup-support-for-.patch new file mode 100644 index 0000000..072a5e5 --- /dev/null +++ b/0003-Add-Readonly-Masked-Path-and-RunAsGroup-support-for-.patch @@ -0,0 +1,642 @@ +From c1eb46b00ea65fc5601f0d843bc485d087f687e0 Mon Sep 17 00:00:00 2001 +From: jikai +Date: Mon, 6 Nov 2023 17:31:58 +0800 +Subject: [PATCH 03/14] Add Readonly/Masked Path and RunAsGroup support for cri + +Signed-off-by: jikai +--- + .../common/cri/v1/v1_cri_security_context.cc | 111 ++++++++++++++++-- + .../v1/v1_cri_container_manager_service.cc | 16 ++- + .../entry/cri/v1alpha/cri_security_context.cc | 110 +++++++++++++++-- + src/daemon/modules/spec/specs.c | 74 +++++++++++- + src/daemon/modules/spec/specs_extend.c | 17 ++- + src/daemon/modules/spec/specs_security.c | 19 +-- + 6 files changed, 294 insertions(+), 53 deletions(-) + +diff --git a/src/daemon/common/cri/v1/v1_cri_security_context.cc b/src/daemon/common/cri/v1/v1_cri_security_context.cc +index f6441f42..930710e0 100644 +--- a/src/daemon/common/cri/v1/v1_cri_security_context.cc ++++ b/src/daemon/common/cri/v1/v1_cri_security_context.cc +@@ -19,15 +19,28 @@ + #include + + namespace CRISecurityV1 { +-static void ModifyContainerConfig(const runtime::v1::LinuxContainerSecurityContext &sc, container_config *config) ++static void ModifyContainerConfig(const runtime::v1::LinuxContainerSecurityContext &sc, container_config *config, Errors &error) + { ++ // none -> ""; username -> username; username, uid -> username; username, uid, gid -> username:gid; ++ // username, gid -> username:gid; uid -> uid; uid, gid -> uid:gid; gid -> error ++ std::string user; + if (sc.has_run_as_user()) { +- free(config->user); +- config->user = util_strdup_s(std::to_string(sc.run_as_user().value()).c_str()); ++ user = std::to_string(sc.run_as_user().value()); + } + if (!sc.run_as_username().empty()) { ++ user = sc.run_as_username(); ++ } ++ if (sc.has_run_as_group()) { ++ if (user.empty()) { ++ ERROR("Invalid security context: runAsGroup without runAsUser or runAsUsername"); ++ error.SetError("Invalid security context: runAsGroup without runAsUser or runAsUsername"); ++ return; ++ } ++ user += ":" + std::to_string(sc.run_as_group().value()); ++ } ++ if (!user.empty()) { + free(config->user); +- config->user = util_strdup_s(sc.run_as_username().c_str()); ++ config->user = util_strdup_s(user.c_str()); + } + } + +@@ -42,6 +55,7 @@ static void ModifyHostConfigCapabilities(const runtime::v1::LinuxContainerSecuri + if (!capAdd.empty()) { + hostConfig->cap_add = (char **)util_smart_calloc_s(sizeof(char *), capAdd.size()); + if (hostConfig->cap_add == nullptr) { ++ ERROR("Out of memory"); + error.SetError("Out of memory"); + return; + } +@@ -54,6 +68,7 @@ static void ModifyHostConfigCapabilities(const runtime::v1::LinuxContainerSecuri + if (!capDrop.empty()) { + hostConfig->cap_drop = (char **)util_smart_calloc_s(sizeof(char *), capDrop.size()); + if (hostConfig->cap_drop == nullptr) { ++ ERROR("Out of memory"); + error.SetError("Out of memory"); + return; + } +@@ -74,7 +89,8 @@ static void ModifyHostConfigNoNewPrivs(const runtime::v1::LinuxContainerSecurity + } + + if (hostConfig->security_opt_len > (SIZE_MAX / sizeof(char *)) - 1) { +- error.Errorf("Out of memory"); ++ ERROR("The size of security opts exceeds the limit"); ++ error.Errorf("The size of security opts exceeds the limit"); + return; + } + +@@ -82,6 +98,7 @@ static void ModifyHostConfigNoNewPrivs(const runtime::v1::LinuxContainerSecurity + size_t newSize = oldSize + sizeof(char *); + int ret = util_mem_realloc((void **)(&tmp_security_opt), newSize, (void *)hostConfig->security_opt, oldSize); + if (ret != 0) { ++ ERROR("Out of memory"); + error.Errorf("Out of memory"); + return; + } +@@ -98,12 +115,9 @@ static void ModifyHostConfigscSupplementalGroups(const runtime::v1::LinuxContain + + const google::protobuf::RepeatedField &groups = sc.supplemental_groups(); + if (!groups.empty()) { +- if (static_cast(groups.size()) > SIZE_MAX / sizeof(char *)) { +- error.SetError("Invalid group size"); +- return; +- } +- hostConfig->group_add = (char **)util_common_calloc_s(sizeof(char *) * groups.size()); ++ hostConfig->group_add = (char **)util_smart_calloc_s(sizeof(char *), groups.size()); + if (hostConfig->group_add == nullptr) { ++ ERROR("Out of memory"); + error.SetError("Out of memory"); + return; + } +@@ -114,6 +128,64 @@ static void ModifyHostConfigscSupplementalGroups(const runtime::v1::LinuxContain + } + } + ++static void ApplyMaskedPathsToHostConfig(const runtime::v1::LinuxContainerSecurityContext &sc, host_config *hostConfig, ++ Errors &error) ++{ ++ if (sc.masked_paths_size() <= 0) { ++ return; ++ } ++ ++ if (hostConfig->masked_paths_len > ((SIZE_MAX / sizeof(char *)) - sc.masked_paths_size())) { ++ ERROR("The size of masked paths exceeds the limit"); ++ error.Errorf("The size of masked paths exceeds the limit"); ++ return; ++ } ++ ++ char **tmp_masked_paths {nullptr}; ++ size_t oldSize = hostConfig->masked_paths_len * sizeof(char *); ++ size_t newSize = oldSize + sc.masked_paths_size() * sizeof(char *); ++ int ret = util_mem_realloc((void **)&tmp_masked_paths, newSize, (void *)hostConfig->masked_paths, oldSize); ++ if (ret != 0) { ++ ERROR("Out of memory"); ++ error.Errorf("Out of memory"); ++ return; ++ } ++ ++ hostConfig->masked_paths = tmp_masked_paths; ++ for (int i = 0; i < sc.masked_paths_size(); ++i) { ++ hostConfig->masked_paths[hostConfig->masked_paths_len++] = util_strdup_s(sc.masked_paths(i).c_str()); ++ } ++} ++ ++static void ApplyReadonlyPathsToHostConfig(const runtime::v1::LinuxContainerSecurityContext &sc, host_config *hostConfig, ++ Errors &error) ++{ ++ if (sc.readonly_paths_size() <= 0) { ++ return; ++ } ++ ++ if (hostConfig->readonly_paths_len > ((SIZE_MAX / sizeof(char *)) - sc.readonly_paths_size())) { ++ ERROR("The size of readonly paths exceeds the limit"); ++ error.Errorf("The size of readonly paths exceeds the limit"); ++ return; ++ } ++ ++ char **tmp_readonly_paths {nullptr}; ++ size_t oldSize = hostConfig->readonly_paths_len * sizeof(char *); ++ size_t newSize = oldSize + sc.readonly_paths_size() * sizeof(char *); ++ int ret = util_mem_realloc((void **)&tmp_readonly_paths, newSize, (void *)hostConfig->readonly_paths, oldSize); ++ if (ret != 0) { ++ ERROR("Out of memory"); ++ error.Errorf("Out of memory"); ++ return; ++ } ++ ++ hostConfig->readonly_paths = tmp_readonly_paths; ++ for (int i = 0; i < sc.readonly_paths_size(); ++i) { ++ hostConfig->readonly_paths[hostConfig->readonly_paths_len++] = util_strdup_s(sc.readonly_paths(i).c_str()); ++ } ++} ++ + static void ModifyHostConfig(const runtime::v1::LinuxContainerSecurityContext &sc, host_config *hostConfig, + Errors &error) + { +@@ -123,6 +195,8 @@ static void ModifyHostConfig(const runtime::v1::LinuxContainerSecurityContext &s + ModifyHostConfigCapabilities(sc, hostConfig, error); + ModifyHostConfigNoNewPrivs(sc, hostConfig, error); + ModifyHostConfigscSupplementalGroups(sc, hostConfig, error); ++ ApplyMaskedPathsToHostConfig(sc, hostConfig, error); ++ ApplyReadonlyPathsToHostConfig(sc, hostConfig, error); + } + + static void ModifyContainerNamespaceOptions(const runtime::v1::NamespaceOption &nsOpts, +@@ -196,11 +270,18 @@ void ApplySandboxSecurityContext(const runtime::v1::LinuxPodSandboxConfig &lc, c + *sc->mutable_supplemental_groups() = old.supplemental_groups(); + sc->set_readonly_rootfs(old.readonly_rootfs()); + } +- ModifyContainerConfig(*sc, config); ++ ModifyContainerConfig(*sc, config, error); ++ if (error.NotEmpty()) { ++ ERROR("Failed to modify container config for sandbox"); ++ return; ++ } ++ + ModifyHostConfig(*sc, hc, error); + if (error.NotEmpty()) { ++ ERROR("Failed to modify host config for sandbox"); + return; + } ++ + ModifySandboxNamespaceOptions(sc->namespace_options(), hc); + } + +@@ -209,9 +290,15 @@ void ApplyContainerSecurityContext(const runtime::v1::LinuxContainerConfig &lc, + { + if (lc.has_security_context()) { + const runtime::v1::LinuxContainerSecurityContext &sc = lc.security_context(); +- ModifyContainerConfig(sc, config); ++ ModifyContainerConfig(sc, config, error); ++ if (error.NotEmpty()) { ++ ERROR("Failed to modify container config for container"); ++ return; ++ } ++ + ModifyHostConfig(sc, hc, error); + if (error.NotEmpty()) { ++ ERROR("Failed to modify host config for container"); + return; + } + } +diff --git a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc +index 70629591..1f20d2d2 100644 +--- a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc ++++ b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc +@@ -128,8 +128,22 @@ void ContainerManagerService::DoUsePodLevelSELinuxConfig(const runtime::v1::Cont + return; + } + ++ const char securityOptSep = '='; ++ + const runtime::v1::LinuxSandboxSecurityContext &context = config.linux().security_context(); +- CRIHelpersV1::ApplySandboxSecurityContextToHostConfig(context, hostconfig, error); ++ std::vector selinuxOpts = CRIHelpersV1::GetSELinuxLabelOpts(context.has_selinux_options(), ++ context.selinux_options(), securityOptSep, error); ++ if (error.NotEmpty()) { ++ ERROR("Failed to generate SELinuxLabel options for container %s", error.GetMessage().c_str()); ++ error.Errorf("Failed to generate SELinuxLabel options for container %s", error.GetMessage().c_str()); ++ return; ++ } ++ CRIHelpersV1::AddSecurityOptsToHostConfig(selinuxOpts, hostconfig, error); ++ if (error.NotEmpty()) { ++ ERROR("Failed to add securityOpts to hostconfig: %s", error.GetMessage().c_str()); ++ error.Errorf("Failed to add securityOpts to hostconfig: %s", error.GetMessage().c_str()); ++ return; ++ } + } + + auto ContainerManagerService::IsSELinuxLabelEmpty(const ::runtime::v1::SELinuxOption &selinuxOption) -> bool +diff --git a/src/daemon/entry/cri/v1alpha/cri_security_context.cc b/src/daemon/entry/cri/v1alpha/cri_security_context.cc +index 0535b438..57ec3a63 100644 +--- a/src/daemon/entry/cri/v1alpha/cri_security_context.cc ++++ b/src/daemon/entry/cri/v1alpha/cri_security_context.cc +@@ -20,15 +20,29 @@ + #include + + namespace CRISecurity { +-static void ModifyContainerConfig(const runtime::v1alpha2::LinuxContainerSecurityContext &sc, container_config *config) ++static void ModifyContainerConfig(const runtime::v1alpha2::LinuxContainerSecurityContext &sc, container_config *config, ++ Errors &error) + { ++ // none -> ""; username -> username; username, uid -> username; username, uid, gid -> username:gid; ++ // username, gid -> username:gid; uid -> uid; uid, gid -> uid:gid; gid -> error ++ std::string user; + if (sc.has_run_as_user()) { +- free(config->user); +- config->user = util_strdup_s(std::to_string(sc.run_as_user().value()).c_str()); ++ user = std::to_string(sc.run_as_user().value()); + } + if (!sc.run_as_username().empty()) { ++ user = sc.run_as_username(); ++ } ++ if (sc.has_run_as_group()) { ++ if (user.empty()) { ++ ERROR("Invalid security context: runAsGroup without runAsUser or runAsUsername"); ++ error.SetError("Invalid security context: runAsGroup without runAsUser or runAsUsername"); ++ return; ++ } ++ user += ":" + std::to_string(sc.run_as_group().value()); ++ } ++ if (!user.empty()) { + free(config->user); +- config->user = util_strdup_s(sc.run_as_username().c_str()); ++ config->user = util_strdup_s(user.c_str()); + } + } + +@@ -43,6 +57,7 @@ static void ModifyHostConfigCapabilities(const runtime::v1alpha2::LinuxContainer + if (!capAdd.empty()) { + hostConfig->cap_add = (char **)util_smart_calloc_s(sizeof(char *), capAdd.size()); + if (hostConfig->cap_add == nullptr) { ++ ERROR("Out of memory"); + error.SetError("Out of memory"); + return; + } +@@ -55,6 +70,7 @@ static void ModifyHostConfigCapabilities(const runtime::v1alpha2::LinuxContainer + if (!capDrop.empty()) { + hostConfig->cap_drop = (char **)util_smart_calloc_s(sizeof(char *), capDrop.size()); + if (hostConfig->cap_drop == nullptr) { ++ ERROR("Out of memory"); + error.SetError("Out of memory"); + return; + } +@@ -75,7 +91,8 @@ static void ModifyHostConfigNoNewPrivs(const runtime::v1alpha2::LinuxContainerSe + } + + if (hostConfig->security_opt_len > (SIZE_MAX / sizeof(char *)) - 1) { +- error.Errorf("Out of memory"); ++ ERROR("The size of security opts exceeds the limit"); ++ error.Errorf("The size of security opts exceeds the limit"); + return; + } + +@@ -83,6 +100,7 @@ static void ModifyHostConfigNoNewPrivs(const runtime::v1alpha2::LinuxContainerSe + size_t newSize = oldSize + sizeof(char *); + int ret = util_mem_realloc((void **)(&tmp_security_opt), newSize, (void *)hostConfig->security_opt, oldSize); + if (ret != 0) { ++ ERROR("Out of memory"); + error.Errorf("Out of memory"); + return; + } +@@ -99,12 +117,9 @@ static void ModifyHostConfigscSupplementalGroups(const runtime::v1alpha2::LinuxC + + const google::protobuf::RepeatedField &groups = sc.supplemental_groups(); + if (!groups.empty()) { +- if (static_cast(groups.size()) > SIZE_MAX / sizeof(char *)) { +- error.SetError("Invalid group size"); +- return; +- } +- hostConfig->group_add = (char **)util_common_calloc_s(sizeof(char *) * groups.size()); ++ hostConfig->group_add = (char **)util_smart_calloc_s(sizeof(char *), groups.size()); + if (hostConfig->group_add == nullptr) { ++ ERROR("Out of memory"); + error.SetError("Out of memory"); + return; + } +@@ -115,6 +130,64 @@ static void ModifyHostConfigscSupplementalGroups(const runtime::v1alpha2::LinuxC + } + } + ++static void ApplyMaskedPathsToHostConfig(const runtime::v1alpha2::LinuxContainerSecurityContext &sc, host_config *hostConfig, ++ Errors &error) ++{ ++ if (sc.masked_paths_size() <= 0) { ++ return; ++ } ++ ++ if (hostConfig->masked_paths_len > ((SIZE_MAX / sizeof(char *)) - sc.masked_paths_size())) { ++ ERROR("The size of masked paths exceeds the limit"); ++ error.Errorf("The size of masked paths exceeds the limit"); ++ return; ++ } ++ ++ char **tmp_masked_paths {nullptr}; ++ size_t oldSize = hostConfig->masked_paths_len * sizeof(char *); ++ size_t newSize = oldSize + sc.masked_paths_size() * sizeof(char *); ++ int ret = util_mem_realloc((void **)&tmp_masked_paths, newSize, (void *)hostConfig->masked_paths, oldSize); ++ if (ret != 0) { ++ ERROR("Out of memory"); ++ error.Errorf("Out of memory"); ++ return; ++ } ++ ++ hostConfig->masked_paths = tmp_masked_paths; ++ for (int i = 0; i < sc.masked_paths_size(); ++i) { ++ hostConfig->masked_paths[hostConfig->masked_paths_len++] = util_strdup_s(sc.masked_paths(i).c_str()); ++ } ++} ++ ++static void ApplyReadonlyPathsToHostConfig(const runtime::v1alpha2::LinuxContainerSecurityContext &sc, host_config *hostConfig, ++ Errors &error) ++{ ++ if (sc.readonly_paths_size() <= 0) { ++ return; ++ } ++ ++ if (hostConfig->readonly_paths_len > ((SIZE_MAX / sizeof(char *)) - sc.readonly_paths_size())) { ++ ERROR("The size of readonly paths exceeds the limit"); ++ error.Errorf("The size of readonly paths exceeds the limit"); ++ return; ++ } ++ ++ char **tmp_readonly_paths {nullptr}; ++ size_t oldSize = hostConfig->readonly_paths_len * sizeof(char *); ++ size_t newSize = oldSize + sc.readonly_paths_size() * sizeof(char *); ++ int ret = util_mem_realloc((void **)&tmp_readonly_paths, newSize, (void *)hostConfig->readonly_paths, oldSize); ++ if (ret != 0) { ++ ERROR("Out of memory"); ++ error.Errorf("Out of memory"); ++ return; ++ } ++ ++ hostConfig->readonly_paths = tmp_readonly_paths; ++ for (int i = 0; i < sc.readonly_paths_size(); ++i) { ++ hostConfig->readonly_paths[hostConfig->readonly_paths_len++] = util_strdup_s(sc.readonly_paths(i).c_str()); ++ } ++} ++ + static void ModifyHostConfig(const runtime::v1alpha2::LinuxContainerSecurityContext &sc, host_config *hostConfig, + Errors &error) + { +@@ -124,6 +197,8 @@ static void ModifyHostConfig(const runtime::v1alpha2::LinuxContainerSecurityCont + ModifyHostConfigCapabilities(sc, hostConfig, error); + ModifyHostConfigNoNewPrivs(sc, hostConfig, error); + ModifyHostConfigscSupplementalGroups(sc, hostConfig, error); ++ ApplyMaskedPathsToHostConfig(sc, hostConfig, error); ++ ApplyReadonlyPathsToHostConfig(sc, hostConfig, error); + } + + static void ModifyContainerNamespaceOptions(const runtime::v1alpha2::NamespaceOption &nsOpts, +@@ -179,6 +254,7 @@ void ApplySandboxSecurityContext(const runtime::v1alpha2::LinuxPodSandboxConfig + std::unique_ptr sc( + new (std::nothrow) runtime::v1alpha2::LinuxContainerSecurityContext); + if (sc == nullptr) { ++ ERROR("Out of memory"); + error.SetError("Out of memory"); + return; + } +@@ -197,9 +273,14 @@ void ApplySandboxSecurityContext(const runtime::v1alpha2::LinuxPodSandboxConfig + *sc->mutable_supplemental_groups() = old.supplemental_groups(); + sc->set_readonly_rootfs(old.readonly_rootfs()); + } +- ModifyContainerConfig(*sc, config); ++ ModifyContainerConfig(*sc, config, error); ++ if (error.NotEmpty()) { ++ ERROR("Failed to modify container config for sandbox"); ++ return; ++ } + ModifyHostConfig(*sc, hc, error); + if (error.NotEmpty()) { ++ ERROR("Failed to modify host config for sandbox"); + return; + } + ModifySandboxNamespaceOptions(sc->namespace_options(), hc); +@@ -210,9 +291,14 @@ void ApplyContainerSecurityContext(const runtime::v1alpha2::LinuxContainerConfig + { + if (lc.has_security_context()) { + const runtime::v1alpha2::LinuxContainerSecurityContext &sc = lc.security_context(); +- ModifyContainerConfig(sc, config); ++ ModifyContainerConfig(sc, config, error); ++ if (error.NotEmpty()) { ++ ERROR("Failed to modify container config for container"); ++ return; ++ } + ModifyHostConfig(sc, hc, error); + if (error.NotEmpty()) { ++ ERROR("Failed to modify host config for container"); + return; + } + } +diff --git a/src/daemon/modules/spec/specs.c b/src/daemon/modules/spec/specs.c +index a7751d1b..95346603 100644 +--- a/src/daemon/modules/spec/specs.c ++++ b/src/daemon/modules/spec/specs.c +@@ -2133,6 +2133,58 @@ static int generate_security_opt(host_config *hc) + } + #endif + ++static int merge_paths(char ***dest_paths, size_t *dest_paths_len, char **src_paths, size_t src_paths_len) ++{ ++ if (dest_paths == NULL || dest_paths_len == NULL) { ++ ERROR("Invalid args"); ++ return -1; ++ } ++ ++ if (src_paths_len > SIZE_MAX / sizeof(char *) || ++ *dest_paths_len > ((SIZE_MAX / sizeof(char *)) - src_paths_len)) { ++ ERROR("Out of memory"); ++ return -1; ++ } ++ ++ size_t i; ++ char **tmp_paths = NULL; ++ size_t old_size = *dest_paths_len * sizeof(char *); ++ size_t new_size = old_size + src_paths_len * sizeof(char *); ++ int ret = util_mem_realloc((void **)&tmp_paths, new_size, ++ (void *)*dest_paths, old_size); ++ if (ret != 0) { ++ ERROR("Out of memory"); ++ return -1; ++ } ++ ++ *dest_paths = tmp_paths; ++ for (i = 0; i < src_paths_len; i++) { ++ (*dest_paths)[(*dest_paths_len)++] = util_strdup_s(src_paths[i]); ++ } ++ ++ return 0; ++} ++ ++static int merge_masked_paths(oci_runtime_spec *oci_spec, char **masked_paths, size_t masked_paths_len) ++{ ++ if (masked_paths == NULL || masked_paths_len == 0) { ++ return 0; ++ } ++ ++ return merge_paths(&oci_spec->linux->masked_paths, &oci_spec->linux->masked_paths_len, ++ masked_paths, masked_paths_len); ++} ++ ++static int merge_readonly_paths(oci_runtime_spec *oci_spec, char **readonly_paths, size_t readonly_paths_len) ++{ ++ if (readonly_paths == NULL || readonly_paths_len == 0) { ++ return 0; ++ } ++ ++ return merge_paths(&oci_spec->linux->readonly_paths, &oci_spec->linux->readonly_paths_len, ++ readonly_paths, readonly_paths_len); ++} ++ + static int merge_security_conf(oci_runtime_spec *oci_spec, host_config *host_spec, + container_config_v2_common_config *v2_spec) + { +@@ -2180,6 +2232,18 @@ static int merge_security_conf(oci_runtime_spec *oci_spec, host_config *host_spe + } + #endif + ++ ret = merge_masked_paths(oci_spec, host_spec->masked_paths, host_spec->masked_paths_len); ++ if (ret != 0) { ++ ERROR("Failed to merge masked paths"); ++ goto out; ++ } ++ ++ ret = merge_readonly_paths(oci_spec, host_spec->readonly_paths, host_spec->readonly_paths_len); ++ if (ret != 0) { ++ ERROR("Failed to merge readonly paths"); ++ goto out; ++ } ++ + out: + return ret; + } +@@ -2205,11 +2269,6 @@ static int merge_oci_cgroups_path(const char *id, oci_runtime_spec *oci_spec, co + return -1; + } + +- if (make_sure_oci_spec_linux(oci_spec) != 0) { +- ERROR("Failed to make oci spec linux"); +- return -1; +- } +- + free(oci_spec->linux->cgroups_path); + oci_spec->linux->cgroups_path = merge_container_cgroups_path(id, host_spec); + +@@ -2228,6 +2287,11 @@ int merge_all_specs(host_config *host_spec, const char *real_rootfs, container_c + char *userns_remap = conf_get_isulad_userns_remap(); + #endif + ++ if (make_sure_oci_spec_linux(oci_spec) != 0) { ++ ERROR("Failed to make oci spec linux"); ++ return -1; ++ } ++ + ret = merge_root(oci_spec, real_rootfs, host_spec); + if (ret != 0) { + ERROR("Failed to merge root"); +diff --git a/src/daemon/modules/spec/specs_extend.c b/src/daemon/modules/spec/specs_extend.c +index 5ede7936..199cba54 100644 +--- a/src/daemon/modules/spec/specs_extend.c ++++ b/src/daemon/modules/spec/specs_extend.c +@@ -136,28 +136,21 @@ static int make_linux_uid_gid_mappings(oci_runtime_spec *container, unsigned int + unsigned int size) + { + int ret = 0; +- +- ret = make_sure_oci_spec_linux(container); +- if (ret < 0) { +- goto out; +- } +- + if (container->linux->uid_mappings == NULL) { + ret = make_one_id_mapping(&(container->linux->uid_mappings), host_uid, size); + if (ret < 0) { +- goto out; ++ return ret; + } + container->linux->uid_mappings_len++; + } + if (container->linux->gid_mappings == NULL) { + ret = make_one_id_mapping(&(container->linux->gid_mappings), host_gid, size); + if (ret < 0) { +- goto out; ++ return ret; + } + container->linux->gid_mappings_len++; + } + +-out: + return ret; + } + +@@ -180,6 +173,12 @@ int make_userns_remap(oci_runtime_spec *container, const char *user_remap) + if (host_uid == 0 && host_gid == 0) { + return 0; + } ++ ++ if (make_sure_oci_spec_linux(container) != 0) { ++ ERROR("Failed to make oci spce linux"); ++ return -1; ++ } ++ + ret = make_linux_uid_gid_mappings(container, host_uid, host_gid, size); + if (ret) { + ERROR("Make linux uid and gid mappings failed"); +diff --git a/src/daemon/modules/spec/specs_security.c b/src/daemon/modules/spec/specs_security.c +index 08db8d0d..e78cc744 100644 +--- a/src/daemon/modules/spec/specs_security.c ++++ b/src/daemon/modules/spec/specs_security.c +@@ -879,13 +879,6 @@ int merge_caps(oci_runtime_spec *oci_spec, const char **adds, size_t adds_len, c + + static int make_sure_oci_spec_linux_sysctl(oci_runtime_spec *oci_spec) + { +- int ret = 0; +- +- ret = make_sure_oci_spec_linux(oci_spec); +- if (ret < 0) { +- return -1; +- } +- + if (oci_spec->linux->sysctl == NULL) { + oci_spec->linux->sysctl = util_common_calloc_s(sizeof(json_map_string_string)); + if (oci_spec->linux->sysctl == NULL) { +@@ -904,6 +897,11 @@ int merge_sysctls(oci_runtime_spec *oci_spec, const json_map_string_string *sysc + return 0; + } + ++ ret = make_sure_oci_spec_linux(oci_spec); ++ if (ret < 0) { ++ return -1; ++ } ++ + ret = make_sure_oci_spec_linux_sysctl(oci_spec); + if (ret < 0) { + goto out; +@@ -1004,13 +1002,6 @@ static void free_adds_cap_for_system_container(char **adds, size_t adds_len) + + static int make_sure_oci_spec_linux_seccomp(oci_runtime_spec *oci_spec) + { +- int ret = 0; +- +- ret = make_sure_oci_spec_linux(oci_spec); +- if (ret < 0) { +- return -1; +- } +- + if (oci_spec->linux->seccomp == NULL) { + oci_spec->linux->seccomp = util_common_calloc_s(sizeof(oci_runtime_config_linux_seccomp)); + if (oci_spec->linux->seccomp == NULL) { +-- +2.42.0 + diff --git a/0004-2162-Fix-rename-issue-for-id-manager.patch b/0004-2162-Fix-rename-issue-for-id-manager.patch deleted file mode 100644 index 96719de..0000000 --- a/0004-2162-Fix-rename-issue-for-id-manager.patch +++ /dev/null @@ -1,113 +0,0 @@ -From 0dbf21e22d51721e43fa2c1abecf30da271501c5 Mon Sep 17 00:00:00 2001 -From: xuxuepeng -Date: Thu, 31 Aug 2023 04:11:22 +0000 -Subject: [PATCH 04/32] !2162 Fix rename issue for id manager Merge pull - request !2162 from xuxuepeng/master - ---- - src/daemon/common/id_name_manager.c | 21 ++++++++++++++++++- - src/daemon/common/id_name_manager.h | 1 + - .../container_cb/execution_information.c | 12 +++++++++++ - src/daemon/sandbox/sandbox_manager.cc | 6 ++++-- - 4 files changed, 37 insertions(+), 3 deletions(-) - -diff --git a/src/daemon/common/id_name_manager.c b/src/daemon/common/id_name_manager.c -index e6b24798..3fc1c443 100644 ---- a/src/daemon/common/id_name_manager.c -+++ b/src/daemon/common/id_name_manager.c -@@ -382,4 +382,23 @@ bool id_name_manager_remove_entry(const char *id, const char *name) - } - - return ret; --} -\ No newline at end of file -+} -+ -+bool id_name_manager_rename(const char *new_name, const char *old_name) -+{ -+ if (old_name == NULL || new_name == NULL) { -+ ERROR("Failed to rename empty name"); -+ return false; -+ } -+ -+ if (!try_add_name(new_name)) { -+ ERROR("Failed to add %s to name map", new_name); -+ return false; -+ } -+ -+ if (!try_remove_name(old_name)) { -+ WARN("Failed to remove %s from name map", old_name); -+ } -+ -+ return true; -+} -diff --git a/src/daemon/common/id_name_manager.h b/src/daemon/common/id_name_manager.h -index 3c9f6d45..09f0867e 100644 ---- a/src/daemon/common/id_name_manager.h -+++ b/src/daemon/common/id_name_manager.h -@@ -27,6 +27,7 @@ bool id_name_manager_add_entry_with_existing_id(const char *id, const char *name - bool id_name_manager_add_entry_with_new_id(const char *name, char **id); - bool id_name_manager_add_entry_with_new_id_and_name(char **id, char **name); - bool id_name_manager_remove_entry(const char *id, const char *name); -+bool id_name_manager_rename(const char *new_name, const char *old_name); - - #ifdef __cplusplus - } -diff --git a/src/daemon/executor/container_cb/execution_information.c b/src/daemon/executor/container_cb/execution_information.c -index 28480224..93e5032e 100644 ---- a/src/daemon/executor/container_cb/execution_information.c -+++ b/src/daemon/executor/container_cb/execution_information.c -@@ -60,6 +60,7 @@ - #include "utils_convert.h" - #include "utils_string.h" - #include "utils_verify.h" -+#include "id_name_manager.h" - - static int container_version_cb(const container_version_request *request, container_version_response **response) - { -@@ -1075,11 +1076,22 @@ static int container_rename(container_t *cont, const char *new_name) - goto out; - } - -+ if (!id_name_manager_rename(new_name, old_name)) { -+ ERROR("Failed to rename %s to %s in id-name manager", old_name, new_name); -+ isulad_set_error_message("Failed to rename %s to %s in id-name manager", old_name, new_name); -+ ret = -1; -+ goto out; -+ } -+ - if (!container_name_index_rename(new_name, old_name, id)) { - ERROR("Name %s is in use", new_name); - isulad_set_error_message("Conflict. The name \"%s\" is already in use by container %s. " - "You have to remove (or rename) that container to be able to reuse that name.", - new_name, new_name); -+ // restore name in id-name manager -+ if (!id_name_manager_rename(old_name, new_name)) { -+ ERROR("Failed to restore name from \"%s\" to \"%s\" in id-name manager", new_name, old_name); -+ } - ret = -1; - goto out; - } -diff --git a/src/daemon/sandbox/sandbox_manager.cc b/src/daemon/sandbox/sandbox_manager.cc -index 527a9aec..e258320a 100644 ---- a/src/daemon/sandbox/sandbox_manager.cc -+++ b/src/daemon/sandbox/sandbox_manager.cc -@@ -210,11 +210,13 @@ bool SandboxManager::IDNameManagerRemoveEntry(const std::string &id, const std:: - // Save the id and name of the sandbox to the map of the id_name_manager module - bool SandboxManager::IDNameManagerNewEntry(std::string &id, const std::string &name) - { -- __isula_auto_free char *tmpId = NULL; - bool ret = false; - if (id.empty()) { -+ __isula_auto_free char *tmpId = NULL; - ret = id_name_manager_add_entry_with_new_id(name.c_str(), &tmpId); -- id = tmpId; -+ if (tmpId != NULL) { -+ id = tmpId; -+ } - } else { - ret = id_name_manager_add_entry_with_existing_id(id.c_str(), name.c_str()); - } --- -2.25.1 - diff --git a/0004-network-support-version-opt.patch b/0004-network-support-version-opt.patch new file mode 100644 index 0000000..db3a845 --- /dev/null +++ b/0004-network-support-version-opt.patch @@ -0,0 +1,482 @@ +From 7a2dd92a527c1f5ee79239d93b792dc9a9758e27 Mon Sep 17 00:00:00 2001 +From: liuxu +Date: Tue, 7 Nov 2023 20:38:22 +0800 +Subject: [PATCH 04/14] network:support version opt + +--- + .../network/cni_operator/cni_operate.c | 16 +++ + .../network/cni_operator/cni_operate.h | 3 + + .../cni_operator/libcni/invoke/libcni_exec.c | 86 +++++++++++++- + .../cni_operator/libcni/invoke/libcni_exec.h | 2 + + .../libcni/invoke/libcni_result_parse.c | 29 +++++ + .../libcni/invoke/libcni_result_parse.h | 6 + + .../network/cni_operator/libcni/libcni_api.c | 106 ++++++++++++++++++ + .../network/cni_operator/libcni/libcni_api.h | 8 +- + .../cni_operator/libcni/libcni_result_type.c | 18 +++ + .../cni_operator/libcni/libcni_result_type.h | 12 ++ + .../modules/network/native/adaptor_native.c | 3 +- + 11 files changed, 281 insertions(+), 8 deletions(-) + +diff --git a/src/daemon/modules/network/cni_operator/cni_operate.c b/src/daemon/modules/network/cni_operator/cni_operate.c +index 62249f18..6db6db51 100644 +--- a/src/daemon/modules/network/cni_operator/cni_operate.c ++++ b/src/daemon/modules/network/cni_operator/cni_operate.c +@@ -926,6 +926,22 @@ out: + return ret; + } + ++int version_network_plane(const struct cni_network_list_conf *list, ++ struct cni_version_info_list **result_version_list) ++{ ++ if (list == NULL || list->list == NULL) { ++ ERROR("Invalid input params"); ++ return -1; ++ } ++ ++ if (cni_version_network_list(list, result_version_list) != 0) { ++ ERROR("Version CNI network failed"); ++ return -1; ++ } ++ ++ return 0; ++} ++ + int detach_loopback(const char *id, const char *netns) + { + int ret = 0; +diff --git a/src/daemon/modules/network/cni_operator/cni_operate.h b/src/daemon/modules/network/cni_operator/cni_operate.h +index 150c1154..7750ff00 100644 +--- a/src/daemon/modules/network/cni_operator/cni_operate.h ++++ b/src/daemon/modules/network/cni_operator/cni_operate.h +@@ -61,6 +61,9 @@ int detach_network_plane(const struct cni_manager *manager, const struct cni_net + int check_network_plane(const struct cni_manager *manager, const struct cni_network_list_conf *list, + struct cni_opt_result **result); + ++int version_network_plane(const struct cni_network_list_conf *list, ++ struct cni_version_info_list **result_version_list); ++ + #ifdef __cplusplus + } + #endif +diff --git a/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_exec.c b/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_exec.c +index c4bc81c0..4908565e 100644 +--- a/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_exec.c ++++ b/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_exec.c +@@ -28,7 +28,7 @@ + #include + + #include +-#include ++#include + #include + #include + #include +@@ -183,10 +183,10 @@ static char *str_cni_exec_error(const cni_exec_error *e_err) + static char *cniversion_decode(const char *jsonstr) + { + __isula_auto_free parser_error err = NULL; +- cni_version *conf = NULL; ++ cni_version_info *conf = NULL; + char *result = NULL; + +- conf = cni_version_parse_data(jsonstr, NULL, &err); ++ conf = cni_version_info_parse_data(jsonstr, NULL, &err); + if (conf == NULL) { + ERROR("decoding config \"%s\", failed: %s", jsonstr, err); + goto out; +@@ -198,7 +198,7 @@ static char *cniversion_decode(const char *jsonstr) + + result = util_strdup_s(conf->cni_version); + out: +- free_cni_version(conf); ++ free_cni_version_info(conf); + return result; + } + +@@ -466,6 +466,84 @@ out: + return ret; + } + ++static char *get_default_version_stdin(void) ++{ ++ char *stdin_str = NULL; ++ int ret; ++ ++ ret = asprintf(&stdin_str, "{\"cniVersion\":\"%s\"}", CURRENT_VERSION); ++ if (ret < 0) { ++ ERROR("parse cni version failed"); ++ } ++ return stdin_str; ++} ++ ++static int do_parse_version_info_stdout_str(int exec_ret, const cni_exec_error *e_err, ++ const char *stdout_str, cni_version_info **result_version) ++{ ++ __isula_auto_free char *err_msg = NULL; ++ struct parser_context ctx = { OPT_GEN_SIMPLIFY, 0 }; ++ __isula_auto_free parser_error perr = NULL; ++ ++ if (exec_ret != 0) { ++ err_msg = str_cni_exec_error(e_err); ++ ERROR("raw exec failed: %s", err_msg); ++ isulad_append_error_message("raw exec failed: %s. ", err_msg); ++ return -1; ++ } ++ ++ if (stdout_str == NULL || strlen(stdout_str) == 0) { ++ ERROR("Get empty version result"); ++ return -1; ++ } ++ free_cni_version_info(*result_version); ++ *result_version = cni_version_info_parse_data(stdout_str, &ctx, &perr); ++ if (*result_version == NULL) { ++ ERROR("parse cni result version failed: %s", perr); ++ return -1; ++ } ++ ++ return 0; ++} ++ ++int get_version_info(const char *plugin_path, cni_version_info **result_version) ++{ ++ __isula_auto_free char *err_msg = NULL; ++ char **envs = NULL; ++ __isula_auto_free char *stdout_str = NULL; ++ __isula_auto_free char *stdin_str = NULL; ++ cni_exec_error *e_err = NULL; ++ int ret = 0; ++ const struct cni_args cniargs = { ++ .command = "VERSION", ++ .netns = "dummy", ++ .ifname = "dummy", ++ .path = "dummy", ++ .container_id = "dummy" ++ }; ++ ++ stdin_str = get_default_version_stdin(); ++ if (stdin_str == NULL) { ++ return -1; ++ } ++ ++ envs = as_env(&cniargs); ++ if (envs == NULL) { ++ ERROR("create env failed"); ++ return -1; ++ } ++ ++ ret = raw_exec(plugin_path, stdin_str, envs, &stdout_str, &e_err); ++ DEBUG("Raw exec \"%s\" result: %d", plugin_path, ret); ++ DEBUG("Raw exec stdout: %s", stdout_str); ++ ret = do_parse_version_info_stdout_str(ret, e_err, stdout_str, result_version); ++ ++ util_free_array(envs); ++ free_cni_exec_error(e_err); ++ return ret; ++ ++} ++ + void free_cni_args(struct cni_args *cargs) + { + size_t i = 0; +diff --git a/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_exec.h b/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_exec.h +index 60b1c972..48d8d8b6 100644 +--- a/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_exec.h ++++ b/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_exec.h +@@ -40,6 +40,8 @@ int exec_plugin_with_result(const char *plugin_path, const char *cni_net_conf_js + + int exec_plugin_without_result(const char *plugin_path, const char *cni_net_conf_json, const struct cni_args *cniargs); + ++int get_version_info(const char *plugin_path, cni_version_info **result_version); ++ + #ifdef __cplusplus + } + #endif +diff --git a/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_result_parse.c b/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_result_parse.c +index 164b2e29..aa4f75cf 100644 +--- a/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_result_parse.c ++++ b/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_result_parse.c +@@ -741,3 +741,32 @@ struct cni_opt_result *new_result(const char *version, const char *jsonstr) + ERROR("unsupported CNI result version \"%s\"", version); + return NULL; + } ++ ++size_t get_curr_support_version_len(void) ++{ ++ return CURR_SUPPORT_VERSION_LEN; ++} ++ ++int get_support_version_pos(const char *version) ++{ ++ int i = 0; ++ if (version == NULL) { ++ return -1; ++ } ++ ++ for (i = CURR_SUPPORT_VERSION_LEN - 1; i >= 0; i--) { ++ if ((g_curr_support_versions[i] != NULL) && (strcmp(version, g_curr_support_versions[i]) == 0)) { ++ return i; ++ } ++ } ++ ++ return -1; ++} ++ ++const char *get_support_version_by_pos(size_t pos) ++{ ++ if (pos >= CURR_SUPPORT_VERSION_LEN) { ++ return NULL; ++ } ++ return g_curr_support_versions[pos]; ++} +\ No newline at end of file +diff --git a/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_result_parse.h b/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_result_parse.h +index 547bc915..438e1332 100644 +--- a/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_result_parse.h ++++ b/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_result_parse.h +@@ -37,6 +37,12 @@ cni_result_curr *cni_result_curr_to_json_result(const struct cni_opt_result *src + + struct cni_opt_result *copy_result_from_current(const cni_result_curr *curr_result); + ++size_t get_curr_support_version_len(void); ++ ++int get_support_version_pos(const char *version); ++ ++const char *get_support_version_by_pos(size_t pos); ++ + #ifdef __cplusplus + } + #endif +diff --git a/src/daemon/modules/network/cni_operator/libcni/libcni_api.c b/src/daemon/modules/network/cni_operator/libcni/libcni_api.c +index 781759e8..7f62df78 100644 +--- a/src/daemon/modules/network/cni_operator/libcni/libcni_api.c ++++ b/src/daemon/modules/network/cni_operator/libcni/libcni_api.c +@@ -843,6 +843,112 @@ free_out: + return ret; + } + ++static int version_network(const char *plugin_name, cni_version_info **result_version) ++{ ++ int ret = 0; ++ __isula_auto_free char *plugin_path = NULL; ++ ++ if (plugin_name == NULL) { ++ ERROR("Empty plugin name"); ++ return -1; ++ } ++ ++ ret = find_plugin_in_path(plugin_name, (const char * const *)g_module_conf.bin_paths, ++ g_module_conf.bin_paths_len, &plugin_path); ++ if (ret != 0) { ++ ERROR("Failed to find plugin: \"%s\"", plugin_name); ++ isulad_append_error_message("Failed to find plugin: \"%s\". ", plugin_name); ++ return ret; ++ } ++ ++ // cni plugin calls should not take longer than 90 seconds ++ CALL_CHECK_TIMEOUT(90, ret = get_version_info(plugin_path, result_version)); ++ return ret; ++} ++ ++int cni_version_network_list(const struct cni_network_list_conf *list, ++ struct cni_version_info_list **result_version_list) ++{ ++ int ret = 0; ++ int i; ++ cni_version_info *tmp_result_version = NULL; ++ ++ if ((list == NULL) || (list->list == NULL) || (result_version_list == NULL)) { ++ ERROR("Empty arguments"); ++ return -1; ++ } ++ ++ *result_version_list = util_common_calloc_s(sizeof(struct cni_version_info_list)); ++ if (*result_version_list == NULL) { ++ ERROR("Out of memory"); ++ return -1; ++ } ++ (*result_version_list)->result_versions = util_smart_calloc_s(sizeof(cni_version_info *), list->list->plugins_len); ++ if ((*result_version_list)->result_versions == NULL) { ++ ERROR("Out of memory"); ++ ret = -1; ++ goto free_out; ++ } ++ ++ for (i = 0; i < list->list->plugins_len; i++) { ++ if (version_network(list->list->plugins[i]->type, &tmp_result_version) != 0) { ++ ret = -1; ++ ERROR("Run version plugin: %d failed", i); ++ goto free_out; ++ } ++ (*result_version_list)->result_versions[i] = tmp_result_version; ++ (*result_version_list)->result_versions_len += 1; ++ tmp_result_version = NULL; ++ } ++ ++ return ret; ++ ++free_out: ++ free_cni_version_info_list(*result_version_list); ++ *result_version_list = NULL; ++ return ret; ++} ++ ++/* get the latest CNI version supported by all plugins */ ++char *cni_get_plugins_supported_version(cni_net_conf_list *list) ++{ ++ // init to default version, if no found, just return default version ++ char *cni_version = util_strdup_s(CURRENT_VERSION); ++ int i, j, version_pos; ++ struct cni_version_info_list *result_version_list = NULL; ++ struct cni_network_list_conf network_list = { ++ .list = list, ++ }; ++ size_t curr_support_version_len = get_curr_support_version_len(); ++ __isula_auto_free size_t *plugin_version_count = util_smart_calloc_s(sizeof(size_t), curr_support_version_len); ++ if (plugin_version_count == NULL) { ++ return cni_version; ++ } ++ if (cni_version_network_list(&network_list, &result_version_list) != 0) { ++ return cni_version; ++ } ++ ++ // count plugin supported version ++ for (i = 0; i < result_version_list->result_versions_len; i++) { ++ for (j = result_version_list->result_versions[i]->supported_versions_len - 1; j >= 0 ; j--) { ++ version_pos = get_support_version_pos(result_version_list->result_versions[i]->supported_versions[j]); ++ if (version_pos < 0) { ++ break; ++ } ++ plugin_version_count[version_pos]++; ++ if (plugin_version_count[version_pos] == list->plugins_len) { ++ free(cni_version); ++ cni_version = util_strdup_s(get_support_version_by_pos(version_pos)); ++ goto free_out; ++ } ++ } ++ } ++ ++free_out: ++ free_cni_version_info_list(result_version_list); ++ return cni_version; ++} ++ + static int do_copy_plugin_args(const struct runtime_conf *rc, struct cni_args **cargs) + { + size_t i = 0; +diff --git a/src/daemon/modules/network/cni_operator/libcni/libcni_api.h b/src/daemon/modules/network/cni_operator/libcni/libcni_api.h +index 878cb1bb..f94ab3f7 100644 +--- a/src/daemon/modules/network/cni_operator/libcni/libcni_api.h ++++ b/src/daemon/modules/network/cni_operator/libcni/libcni_api.h +@@ -28,9 +28,6 @@ + extern "C" { + #endif + +-#define CURRENT_VERSION "1.0.0" +-#define SUPPORT_CACHE_AND_CHECK_VERSION "0.4.0" +- + #define SUPPORT_CAPABILITY_PORTMAPPINGS "portMappings" + #define SUPPORT_CAPABILITY_BANDWIDTH "bandwidth" + #define SUPPORT_CAPABILITY_IPRANGES "ipRanges" +@@ -87,6 +84,11 @@ int cni_del_network_list(const struct cni_network_list_conf *list, const struct + + int cni_check_network_list(const struct cni_network_list_conf *list, const struct runtime_conf *rc, + struct cni_opt_result **p_result); ++ ++int cni_version_network_list(const struct cni_network_list_conf *list, ++ struct cni_version_info_list **result_version_list); ++ ++char *cni_get_plugins_supported_version(cni_net_conf_list *list); + + void free_cni_port_mapping(struct cni_port_mapping *val); + +diff --git a/src/daemon/modules/network/cni_operator/libcni/libcni_result_type.c b/src/daemon/modules/network/cni_operator/libcni/libcni_result_type.c +index fd1091de..8a0ce1dd 100644 +--- a/src/daemon/modules/network/cni_operator/libcni/libcni_result_type.c ++++ b/src/daemon/modules/network/cni_operator/libcni/libcni_result_type.c +@@ -129,3 +129,21 @@ void free_cni_opt_result(struct cni_opt_result *val) + val->my_dns = NULL; + free(val); + } ++ ++void free_cni_version_info_list(struct cni_version_info_list *val) ++{ ++ size_t i = 0; ++ ++ if (val == NULL) { ++ return; ++ } ++ ++ for (i = 0; i < val->result_versions_len; i++) { ++ free_cni_version_info(val->result_versions[i]); ++ val->result_versions[i] = NULL; ++ } ++ free(val->result_versions); ++ val->result_versions = NULL; ++ ++ free(val); ++} +diff --git a/src/daemon/modules/network/cni_operator/libcni/libcni_result_type.h b/src/daemon/modules/network/cni_operator/libcni/libcni_result_type.h +index abbc22fe..36640e63 100644 +--- a/src/daemon/modules/network/cni_operator/libcni/libcni_result_type.h ++++ b/src/daemon/modules/network/cni_operator/libcni/libcni_result_type.h +@@ -19,10 +19,15 @@ + #include + #include + ++#include ++ + #ifdef __cplusplus + extern "C" { + #endif + ++#define CURRENT_VERSION "1.0.0" ++#define SUPPORT_CACHE_AND_CHECK_VERSION "0.4.0" ++ + /* define types for version */ + struct cni_opt_result_interface { + char *name; +@@ -73,6 +78,11 @@ struct cni_opt_result { + struct cni_opt_result_dns *my_dns; + }; + ++struct cni_version_info_list { ++ cni_version_info **result_versions; ++ size_t result_versions_len; ++}; ++ + void free_cni_opt_result_ipconfig(struct cni_opt_result_ipconfig *ipc); + + void free_cni_opt_result_route(struct cni_opt_result_route *val); +@@ -83,6 +93,8 @@ void free_cni_opt_result_dns(struct cni_opt_result_dns *val); + + void free_cni_opt_result(struct cni_opt_result *val); + ++void free_cni_version_info_list(struct cni_version_info_list *val); ++ + #ifdef __cplusplus + } + #endif +diff --git a/src/daemon/modules/network/native/adaptor_native.c b/src/daemon/modules/network/native/adaptor_native.c +index 4c63dec1..45288d7e 100644 +--- a/src/daemon/modules/network/native/adaptor_native.c ++++ b/src/daemon/modules/network/native/adaptor_native.c +@@ -26,6 +26,7 @@ + #include "linked_list.h" + #include "isulad_config.h" + #include ++#include + #include "utils_network.h" + #include "network_tools.h" + #include "cni_operate.h" +@@ -1301,7 +1302,7 @@ static cni_net_conf_list *conf_bridge(const network_create_request *request, str + list->plugins_len++; + } + +- list->cni_version = util_strdup_s(CURRENT_VERSION); ++ list->cni_version = cni_get_plugins_supported_version(list); + if (request->name != NULL) { + list->name = util_strdup_s(request->name); + } else { +-- +2.42.0 + diff --git a/0005-2163-add-bind-mount-file-lock.patch b/0005-2163-add-bind-mount-file-lock.patch deleted file mode 100644 index 4064815..0000000 --- a/0005-2163-add-bind-mount-file-lock.patch +++ /dev/null @@ -1,936 +0,0 @@ -From c1c5159675073450fe13906771cec6f666053380 Mon Sep 17 00:00:00 2001 -From: zhangxiaoyu -Date: Thu, 31 Aug 2023 13:14:02 +0000 -Subject: [PATCH 05/32] !2163 add bind mount file lock * add bind mount file - lock - ---- - src/cmd/isula/stream/cp.c | 66 ++++++- - src/cmd/isulad/main.c | 51 ++++++ - src/common/constants.h | 4 + - .../executor/container_cb/execution_stream.c | 23 ++- - src/daemon/modules/image/oci/oci_export.c | 13 +- - src/daemon/modules/image/oci/oci_load.c | 13 +- - .../graphdriver/devmapper/driver_devmapper.c | 12 +- - .../graphdriver/overlay2/driver_overlay2.c | 12 +- - src/utils/tar/isulad_tar.c | 16 +- - src/utils/tar/isulad_tar.h | 4 +- - src/utils/tar/util_archive.c | 163 +++++++++++++++--- - src/utils/tar/util_archive.h | 8 +- - 12 files changed, 332 insertions(+), 53 deletions(-) - -diff --git a/src/cmd/isula/stream/cp.c b/src/cmd/isula/stream/cp.c -index f0cd99c9..b1e3bbd6 100644 ---- a/src/cmd/isula/stream/cp.c -+++ b/src/cmd/isula/stream/cp.c -@@ -73,6 +73,44 @@ static void print_copy_from_container_error(const char *ops_err, const char *arc - } - } - -+static int client_get_root_dir(const isula_connect_ops *ops, const client_connect_config_t *config, char **root_dir) -+{ -+ int ret = 0; -+ struct isula_info_request request = { 0 }; -+ struct isula_info_response *response = NULL; -+ -+ response = util_common_calloc_s(sizeof(struct isula_info_response)); -+ if (response == NULL) { -+ COMMAND_ERROR("Info: Out of memory"); -+ return -1; -+ } -+ -+ if (!ops->container.info) { -+ COMMAND_ERROR("Unimplemented info op"); -+ ret = -1; -+ goto out; -+ } -+ -+ ret = ops->container.info(&request, response, (void *)config); -+ if (ret != 0) { -+ client_print_error(response->cc, response->server_errono, response->errmsg); -+ ret = -1; -+ goto out; -+ } -+ -+ if (response->isulad_root_dir == NULL) { -+ COMMAND_ERROR("None root dir"); -+ ret = -1; -+ goto out; -+ } -+ -+ *root_dir = util_strdup_s(response->isulad_root_dir); -+ -+out: -+ isula_info_response_free(response); -+ return ret; -+} -+ - static int client_copy_from_container(const struct client_arguments *args, const char *id, const char *srcpath, - const char *destpath) - { -@@ -84,6 +122,7 @@ static int client_copy_from_container(const struct client_arguments *args, const - char *archive_err = NULL; - char *ops_err = NULL; - char *resolved = NULL; -+ char *root_dir = NULL; - struct archive_copy_info *srcinfo = NULL; - client_connect_config_t config; - -@@ -92,18 +131,24 @@ static int client_copy_from_container(const struct client_arguments *args, const - COMMAND_ERROR("Unimplemented copy from container operation"); - return -1; - } -+ config = get_connect_config(args); -+ -+ ret = client_get_root_dir(ops, &config, &root_dir); -+ if (ret != 0) { -+ return -1; -+ } - - response = util_common_calloc_s(sizeof(struct isula_copy_from_container_response)); - if (response == NULL) { - ERROR("Event: Out of memory"); -- return -1; -+ ret = -1; -+ goto out; - } - - request.id = (char *)id; - request.runtime = args->runtime; - request.srcpath = (char *)srcpath; - -- config = get_connect_config(args); - ret = ops->container.copy_from_container(&request, response, &config); - if (ret) { - ops_err = (response->errmsg != NULL) ? util_strdup_s(response->errmsg) : NULL; -@@ -125,7 +170,7 @@ static int client_copy_from_container(const struct client_arguments *args, const - srcinfo->path = util_strdup_s(srcpath); - srcinfo->isdir = S_ISDIR(response->stat->mode); - -- nret = archive_copy_to(&response->reader, srcinfo, resolved, &archive_err); -+ nret = archive_copy_to(&response->reader, srcinfo, resolved, root_dir, &archive_err); - if (nret != 0) { - ret = nret; - } -@@ -137,6 +182,7 @@ static int client_copy_from_container(const struct client_arguments *args, const - - out: - print_copy_from_container_error(ops_err, archive_err, ret, args); -+ free(root_dir); - free(resolved); - free(archive_err); - free(ops_err); -@@ -167,6 +213,7 @@ static int client_copy_to_container(const struct client_arguments *args, const c - int nret = 0; - char *archive_err = NULL; - char *resolved = NULL; -+ char *root_dir = NULL; - struct archive_copy_info *srcinfo = NULL; - struct io_read_wrapper archive_reader = { 0 }; - client_connect_config_t config = { 0 }; -@@ -176,11 +223,18 @@ static int client_copy_to_container(const struct client_arguments *args, const c - COMMAND_ERROR("Unimplemented copy to container operation"); - return -1; - } -+ config = get_connect_config(args); -+ -+ ret = client_get_root_dir(ops, &config, &root_dir); -+ if (ret != 0) { -+ return -1; -+ } - - response = util_common_calloc_s(sizeof(struct isula_copy_to_container_response)); - if (response == NULL) { - ERROR("Event: Out of memory"); -- return -1; -+ ret = -1; -+ goto out; - } - - request.id = (char *)id; -@@ -199,7 +253,7 @@ static int client_copy_to_container(const struct client_arguments *args, const c - goto out; - } - -- nret = tar_resource(srcinfo, &archive_reader, &archive_err); -+ nret = tar_resource(srcinfo, root_dir, &archive_reader, &archive_err); - if (nret != 0) { - ret = -1; - goto out; -@@ -212,7 +266,6 @@ static int client_copy_to_container(const struct client_arguments *args, const c - request.reader.read = archive_reader.read; - request.reader.close = archive_reader.close; - -- config = get_connect_config(args); - ret = ops->container.copy_to_container(&request, response, &config); - - // archive reader close if copy to container failed -@@ -223,6 +276,7 @@ static int client_copy_to_container(const struct client_arguments *args, const c - - out: - print_copy_to_container_error(response, archive_err, ret, args); -+ free(root_dir); - free(resolved); - free(archive_err); - free_archive_copy_info(srcinfo); -diff --git a/src/cmd/isulad/main.c b/src/cmd/isulad/main.c -index 681dcf03..b32b6626 100644 ---- a/src/cmd/isulad/main.c -+++ b/src/cmd/isulad/main.c -@@ -72,6 +72,7 @@ - #include "utils_file.h" - #include "utils_string.h" - #include "utils_verify.h" -+#include "path.h" - #include "volume_api.h" - #ifndef DISABLE_CLEANUP - #include "leftover_cleanup_api.h" -@@ -1383,6 +1384,50 @@ out: - return ret; - } - -+static int create_mount_flock_file(const struct service_arguments *args) -+{ -+ int nret = 0; -+ int fd = -1; -+ char path[PATH_MAX] = { 0 }; -+ char cleanpath[PATH_MAX] = { 0 }; -+ -+ nret = snprintf(path, PATH_MAX, "%s/%s", args->json_confs->graph, MOUNT_FLOCK_FILE_PATH); -+ if (nret < 0 || (size_t)nret >= PATH_MAX) { -+ ERROR("Failed to snprintf"); -+ return -1; -+ } -+ -+ if (util_clean_path(path, cleanpath, sizeof(cleanpath)) == NULL) { -+ ERROR("clean path for %s failed", path); -+ return -1; -+ } -+ -+ if (util_fileself_exists(cleanpath)) { -+ int err = 0; -+ // recreate mount flock file -+ // and make file uid/gid and permission correct -+ if (!util_force_remove_file(cleanpath, &err)) { -+ ERROR("Failed to delete %s, error: %s. Please delete %s manually.", path, strerror(err), path); -+ return -1; -+ } -+ } -+ -+ fd = util_open(cleanpath, O_RDWR | O_CREAT, MOUNT_FLOCK_FILE_MODE); -+ if (fd < 0) { -+ ERROR("Failed to create file %s", cleanpath); -+ return -1; -+ } -+ close(fd); -+ -+ nret = util_set_file_group(cleanpath, args->json_confs->group); -+ if (nret < 0) { -+ ERROR("set group of the path %s failed", cleanpath); -+ return -1; -+ } -+ -+ return 0; -+} -+ - static int isulad_server_init_service() - { - int ret = -1; -@@ -1413,6 +1458,12 @@ static int isulad_server_init_service() - goto unlock_out; - } - -+ ret = create_mount_flock_file(args); -+ if (ret != 0) { -+ ERROR("Failed to create mount flock file"); -+ goto unlock_out; -+ } -+ - unlock_out: - if (isulad_server_conf_unlock()) { - ret = -1; -diff --git a/src/common/constants.h b/src/common/constants.h -index 409a83a1..d93bb464 100644 ---- a/src/common/constants.h -+++ b/src/common/constants.h -@@ -68,6 +68,8 @@ extern "C" { - - #define DEFAULT_HIGHEST_DIRECTORY_MODE 0755 - -+#define MOUNT_FLOCK_FILE_MODE 0660 -+ - #define ISULAD_CONFIG SYSCONFDIR_PREFIX"/etc/isulad" - - #define ISULAD_DAEMON_CONTAINER_CONTEXTS ISULAD_CONFIG "/container_contexts" -@@ -119,6 +121,8 @@ extern "C" { - #define OCI_VERSION "1.0.1" - #endif - -+#define MOUNT_FLOCK_FILE_PATH "isulad-chroot-mount.flock" -+ - #define OCI_IMAGE_GRAPH_ROOTPATH_NAME "storage" - - #ifdef ENABLE_GRPC_REMOTE_CONNECT -diff --git a/src/daemon/executor/container_cb/execution_stream.c b/src/daemon/executor/container_cb/execution_stream.c -index 32721e68..244ec6a0 100644 ---- a/src/daemon/executor/container_cb/execution_stream.c -+++ b/src/daemon/executor/container_cb/execution_stream.c -@@ -62,6 +62,7 @@ - #include "utils.h" - #include "utils_file.h" - #include "utils_verify.h" -+#include "isulad_config.h" - - #if defined (__ANDROID__) || defined(__MUSL__) - #define SIG_CANCEL_SIGNAL SIGUSR1 -@@ -442,6 +443,7 @@ static int archive_and_send_copy_data(const stream_func_wrapper *stream, - char *absbase = NULL; - char *err = NULL; - char *buf = NULL; -+ char *root_dir = NULL; - char cleaned[PATH_MAX + 2] = { 0 }; - struct io_read_wrapper reader = { 0 }; - char *tar_path = NULL; -@@ -474,9 +476,15 @@ static int archive_and_send_copy_data(const stream_func_wrapper *stream, - goto cleanup; - } - -+ root_dir = conf_get_isulad_rootdir(); -+ if (root_dir == NULL) { -+ ERROR("Failed to get isulad rootdir"); -+ goto cleanup; -+ } -+ - DEBUG("archive chroot tar stream container_fs(%s) srcdir(%s) relative(%s) srcbase(%s) absbase(%s)", - container_fs, srcdir, tar_path, srcbase, absbase); -- nret = archive_chroot_tar_stream(container_fs, tar_path, srcbase, absbase, &reader); -+ nret = archive_chroot_tar_stream(container_fs, tar_path, srcbase, absbase, root_dir, &reader); - if (nret != 0) { - ERROR("Archive %s failed", resolvedpath); - goto cleanup; -@@ -504,6 +512,7 @@ cleanup: - free(srcdir); - free(srcbase); - free(absbase); -+ free(root_dir); - if (reader.close != NULL) { - int cret = reader.close(reader.context, &err); - if (err != NULL) { -@@ -776,15 +785,25 @@ static int read_and_extract_archive(stream_func_wrapper *stream, const char *con - { - int ret = -1; - char *err = NULL; -+ char *root_dir = NULL; - struct io_read_wrapper content = { 0 }; - content.context = stream; - content.read = extract_stream_to_io_read; -- ret = archive_chroot_untar_stream(&content, container_fs, dstdir_in_container, src_rebase, dst_rebase, &err); -+ -+ root_dir = conf_get_isulad_rootdir(); -+ if (root_dir == NULL) { -+ ERROR("Failed to get isulad rootdir"); -+ isulad_set_error_message("Failed to get isulad rootdir"); -+ return -1; -+ } -+ -+ ret = archive_chroot_untar_stream(&content, container_fs, dstdir_in_container, src_rebase, dst_rebase, root_dir, &err); - if (ret != 0) { - ERROR("Can not untar to container: %s", (err != NULL) ? err : "unknown"); - isulad_set_error_message("Can not untar to container: %s", (err != NULL) ? err : "unknown"); - } - free(err); -+ free(root_dir); - return ret; - } - -diff --git a/src/daemon/modules/image/oci/oci_export.c b/src/daemon/modules/image/oci/oci_export.c -index e27ed6d8..6bfcf4d5 100644 ---- a/src/daemon/modules/image/oci/oci_export.c -+++ b/src/daemon/modules/image/oci/oci_export.c -@@ -23,6 +23,7 @@ - #include "util_archive.h" - #include "path.h" - #include "utils_file.h" -+#include "isulad_config.h" - - int oci_do_export(char *id, char *file) - { -@@ -30,6 +31,7 @@ int oci_do_export(char *id, char *file) - int ret2 = 0; - char *mount_point = NULL; - char *errmsg = NULL; -+ char *root_dir = NULL; - char cleanpath[PATH_MAX] = { 0 }; - - if (id == NULL || file == NULL) { -@@ -56,7 +58,15 @@ int oci_do_export(char *id, char *file) - return -1; - } - -- ret = archive_chroot_tar(mount_point, cleanpath, &errmsg); -+ root_dir = conf_get_isulad_rootdir(); -+ if (root_dir == NULL) { -+ ERROR("Failed to get isulad rootdir"); -+ isulad_set_error_message("Failed to get isulad rootdir"); -+ ret = -1; -+ goto out; -+ } -+ -+ ret = archive_chroot_tar(mount_point, cleanpath, root_dir, &errmsg); - if (ret != 0) { - ERROR("failed to export container %s to file %s: %s", id, cleanpath, errmsg); - isulad_set_error_message("Failed to export rootfs with error: %s", errmsg); -@@ -68,6 +78,7 @@ out: - mount_point = NULL; - free(errmsg); - errmsg = NULL; -+ free(root_dir); - - ret2 = storage_rootfs_umount(id, false); - if (ret2 != 0) { -diff --git a/src/daemon/modules/image/oci/oci_load.c b/src/daemon/modules/image/oci/oci_load.c -index 04a9f947..4385e55e 100644 ---- a/src/daemon/modules/image/oci/oci_load.c -+++ b/src/daemon/modules/image/oci/oci_load.c -@@ -41,6 +41,7 @@ - #include "utils_file.h" - #include "utils_verify.h" - #include "oci_image.h" -+#include "isulad_config.h" - - #define MANIFEST_BIG_DATA_KEY "manifest" - #define OCI_SCHEMA_VERSION 2 -@@ -1068,6 +1069,7 @@ int oci_do_load(const im_load_request *request) - char *digest = NULL; - char *dstdir = NULL; - char *err = NULL; -+ char *root_dir = NULL; - - if (request == NULL || request->file == NULL) { - ERROR("Invalid input arguments, cannot load image"); -@@ -1088,8 +1090,16 @@ int oci_do_load(const im_load_request *request) - goto out; - } - -+ root_dir = conf_get_isulad_rootdir(); -+ if (root_dir == NULL) { -+ ERROR("Failed to get isulad rootdir"); -+ isulad_try_set_error_message("Failed to get isulad rootdir"); -+ ret = -1; -+ goto out; -+ } -+ - options.whiteout_format = NONE_WHITEOUT_FORMATE; -- if (archive_unpack(&reader, dstdir, &options, &err) != 0) { -+ if (archive_unpack(&reader, dstdir, &options, root_dir, &err) != 0) { - ERROR("Failed to unpack to %s: %s", dstdir, err); - isulad_try_set_error_message("Failed to unpack to %s: %s", dstdir, err); - ret = -1; -@@ -1175,5 +1185,6 @@ out: - } - free(dstdir); - free(err); -+ free(root_dir); - return ret; - } -diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/driver_devmapper.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/driver_devmapper.c -index 998ea8c2..ecb62f79 100644 ---- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/driver_devmapper.c -+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/driver_devmapper.c -@@ -32,6 +32,7 @@ - #include "utils_file.h" - #include "utils_fs.h" - #include "utils_string.h" -+#include "isulad_config.h" - - struct io_read_wrapper; - -@@ -346,6 +347,7 @@ int devmapper_apply_diff(const char *id, const struct graphdriver *driver, const - int ret = 0; - struct archive_options options = { 0 }; - char *err = NULL; -+ char *root_dir = NULL; - - if (!util_valid_str(id) || driver == NULL || content == NULL) { - ERROR("invalid argument to apply diff with id(%s)", id); -@@ -366,8 +368,15 @@ int devmapper_apply_diff(const char *id, const struct graphdriver *driver, const - goto out; - } - -+ root_dir = conf_get_isulad_rootdir(); -+ if (root_dir == NULL) { -+ ERROR("Failed to get isulad rootdir"); -+ ret = -1; -+ goto umount_out; -+ } -+ - options.whiteout_format = REMOVE_WHITEOUT_FORMATE; -- if (archive_unpack(content, layer_fs, &options, &err) != 0) { -+ if (archive_unpack(content, layer_fs, &options, root_dir, &err) != 0) { - ERROR("devmapper: failed to unpack to %s: %s", layer_fs, err); - ret = -1; - goto umount_out; -@@ -384,6 +393,7 @@ out: - free_driver_mount_opts(mount_opts); - free(layer_fs); - free(err); -+ free(root_dir); - return ret; - } - -diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c -index c5864c90..b177f594 100644 ---- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c -+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c -@@ -45,6 +45,7 @@ - #include "utils_timestamp.h" - #include "selinux_label.h" - #include "err_msg.h" -+#include "isulad_config.h" - #ifdef ENABLE_REMOTE_LAYER_STORE - #include "ro_symlink_maintain.h" - #endif -@@ -1886,6 +1887,7 @@ int overlay2_apply_diff(const char *id, const struct graphdriver *driver, const - char *layer_diff = NULL; - struct archive_options options = { 0 }; - char *err = NULL; -+ char *root_dir = NULL; - - if (id == NULL || driver == NULL || content == NULL) { - ERROR("invalid argument"); -@@ -1919,7 +1921,14 @@ int overlay2_apply_diff(const char *id, const struct graphdriver *driver, const - } - #endif - -- ret = archive_unpack(content, layer_diff, &options, &err); -+ root_dir = conf_get_isulad_rootdir(); -+ if (root_dir == NULL) { -+ ERROR("Failed to get isulad rootdir"); -+ ret = -1; -+ goto out; -+ } -+ -+ ret = archive_unpack(content, layer_diff, &options, root_dir ,&err); - if (ret != 0) { - ERROR("Failed to unpack to %s: %s", layer_diff, err); - ret = -1; -@@ -1928,6 +1937,7 @@ int overlay2_apply_diff(const char *id, const struct graphdriver *driver, const - - out: - free(err); -+ free(root_dir); - free(layer_dir); - free(layer_diff); - #ifdef ENABLE_USERNS_REMAP -diff --git a/src/utils/tar/isulad_tar.c b/src/utils/tar/isulad_tar.c -index 74176b12..24269c70 100644 ---- a/src/utils/tar/isulad_tar.c -+++ b/src/utils/tar/isulad_tar.c -@@ -385,7 +385,7 @@ cleanup: - } - - int archive_copy_to(const struct io_read_wrapper *content, const struct archive_copy_info *srcinfo, -- const char *dstpath, char **err) -+ const char *dstpath, const char *root_dir, char **err) - { - int ret = -1; - struct archive_copy_info *dstinfo = NULL; -@@ -393,7 +393,7 @@ int archive_copy_to(const struct io_read_wrapper *content, const struct archive_ - char *src_base = NULL; - char *dst_base = NULL; - -- if (err == NULL || dstpath == NULL || srcinfo == NULL || content == NULL) { -+ if (err == NULL || dstpath == NULL || srcinfo == NULL || content == NULL || root_dir == NULL) { - return -1; - } - -@@ -409,7 +409,7 @@ int archive_copy_to(const struct io_read_wrapper *content, const struct archive_ - goto cleanup; - } - -- ret = archive_chroot_untar_stream(content, dstdir, ".", src_base, dst_base, err); -+ ret = archive_chroot_untar_stream(content, dstdir, ".", src_base, dst_base, root_dir, err); - - cleanup: - free_archive_copy_info(dstinfo); -@@ -419,7 +419,7 @@ cleanup: - return ret; - } - --static int tar_resource_rebase(const char *path, const char *rebase, struct io_read_wrapper *archive_reader, char **err) -+static int tar_resource_rebase(const char *path, const char *rebase, const char *root_dir, struct io_read_wrapper *archive_reader, char **err) - { - int ret = -1; - int nret; -@@ -438,7 +438,7 @@ static int tar_resource_rebase(const char *path, const char *rebase, struct io_r - } - - DEBUG("chroot tar stream srcdir(%s) srcbase(%s) rebase(%s)", srcdir, srcbase, rebase); -- nret = archive_chroot_tar_stream(srcdir, srcbase, srcbase, rebase, archive_reader); -+ nret = archive_chroot_tar_stream(srcdir, srcbase, srcbase, rebase, root_dir, archive_reader); - if (nret < 0) { - ERROR("Can not archive path: %s", path); - goto cleanup; -@@ -450,11 +450,11 @@ cleanup: - return ret; - } - --int tar_resource(const struct archive_copy_info *info, struct io_read_wrapper *archive_reader, char **err) -+int tar_resource(const struct archive_copy_info *info, const char *root_dir, struct io_read_wrapper *archive_reader, char **err) - { -- if (info == NULL || archive_reader == NULL || err == NULL) { -+ if (info == NULL || root_dir == NULL || archive_reader == NULL || err == NULL) { - return -1; - } - -- return tar_resource_rebase(info->path, info->rebase_name, archive_reader, err); -+ return tar_resource_rebase(info->path, info->rebase_name, root_dir, archive_reader, err); - } -diff --git a/src/utils/tar/isulad_tar.h b/src/utils/tar/isulad_tar.h -index cdd9858a..414bb024 100644 ---- a/src/utils/tar/isulad_tar.h -+++ b/src/utils/tar/isulad_tar.h -@@ -43,10 +43,10 @@ struct archive_copy_info *copy_info_source_path(const char *path, bool follow_li - char *prepare_archive_copy(const struct archive_copy_info *srcinfo, const struct archive_copy_info *dstinfo, - char **src_base, char **dst_base, char **err); - --int tar_resource(const struct archive_copy_info *info, struct io_read_wrapper *archive_reader, char **err); -+int tar_resource(const struct archive_copy_info *info, const char *root_dir, struct io_read_wrapper *archive_reader, char **err); - - int archive_copy_to(const struct io_read_wrapper *content, const struct archive_copy_info *srcinfo, -- const char *dstpath, char **err); -+ const char *dstpath, const char *root_dir, char **err); - - #ifdef __cplusplus - } -diff --git a/src/utils/tar/util_archive.c b/src/utils/tar/util_archive.c -index 0fb7769b..d2fc5488 100644 ---- a/src/utils/tar/util_archive.c -+++ b/src/utils/tar/util_archive.c -@@ -33,10 +33,12 @@ - #include - #include - #include -+#include - - #include - #include - #include -+#include - - #include "error.h" - #include "map.h" -@@ -83,6 +85,31 @@ static ssize_t read_content(struct archive *a, void *client_data, const void **b - return mydata->content->read(mydata->content->context, mydata->buff, sizeof(mydata->buff)); - } - -+static char *generate_flock_path(const char *root_dir) -+{ -+ int nret = 0; -+ char path[PATH_MAX] = { 0 }; -+ char cleanpath[PATH_MAX] = { 0 }; -+ -+ nret = snprintf(path, PATH_MAX, "%s/%s", root_dir, MOUNT_FLOCK_FILE_PATH); -+ if (nret < 0 || (size_t)nret >= PATH_MAX) { -+ ERROR("Failed to snprintf"); -+ return NULL; -+ } -+ -+ if (util_clean_path(path, cleanpath, sizeof(cleanpath)) == NULL) { -+ ERROR("clean path for %s failed", path); -+ return NULL; -+ } -+ -+ if (!util_file_exists(cleanpath)) { -+ ERROR("flock file %s doesn't exist", cleanpath); -+ return NULL; -+ } -+ -+ return util_strdup_s(cleanpath); -+} -+ - static void do_disable_unneccessary_caps() - { - cap_t caps; -@@ -104,7 +131,58 @@ static void do_disable_unneccessary_caps() - cap_free(caps); - } - --static int make_safedir_is_noexec(const char *dstdir, char **safe_dir) -+// Add flock when bind mount and make it private. -+// Because bind mount usually makes safedir shared mount point, -+// and sometimes it will cause "mount point explosion". -+// E.g. concurrently execute isula cp /tmp/ : -+static int bind_mount_with_flock(const char *flock_path, const char *dstdir, const char *tmp_dir) -+{ -+ __isula_auto_close int fd = -1; -+ int ret = -1; -+ -+ fd = open(flock_path, O_RDWR | O_CLOEXEC); -+ if (fd < 0) { -+ SYSERROR("Failed to open file %s", flock_path); -+ return -1; -+ } -+ -+ if (flock(fd, LOCK_EX) != 0) { -+ SYSERROR("Failed to lock file %s", flock_path); -+ return -1; -+ } -+ -+ if (mount(dstdir, tmp_dir, "none", MS_BIND, NULL) != 0) { -+ SYSERROR("Mount safe dir failed"); -+ goto unlock_out; -+ } -+ -+ if (mount(tmp_dir, tmp_dir, "none", MS_BIND | MS_REMOUNT | MS_NOEXEC, NULL) != 0) { -+ SYSERROR("Mount safe dir failed"); -+ if (umount(tmp_dir) != 0) { -+ SYSERROR("Failed to umount target %s", tmp_dir); -+ } -+ goto unlock_out; -+ } -+ -+ // Change the propagation type. -+ if (mount("", tmp_dir, "", MS_PRIVATE, "") != 0) { -+ SYSERROR("Failed to change the propagation type"); -+ if (umount(tmp_dir) != 0) { -+ SYSERROR("Failed to umount target %s", tmp_dir); -+ } -+ goto unlock_out; -+ } -+ -+ ret = 0; -+ -+unlock_out: -+ if (flock(fd, LOCK_UN) != 0) { -+ SYSERROR("Failed to unlock file %s", flock_path); -+ } -+ return ret; -+} -+ -+static int make_safedir_is_noexec(const char *flock_path, const char *dstdir, char **safe_dir) - { - struct stat buf; - char *isulad_tmpdir_env = NULL; -@@ -156,19 +234,8 @@ static int make_safedir_is_noexec(const char *dstdir, char **safe_dir) - return -1; - } - -- if (mount(dstdir, tmp_dir, "none", MS_BIND, NULL) != 0) { -- SYSERROR("Mount safe dir failed"); -- if (util_path_remove(tmp_dir) != 0) { -- ERROR("Failed to remove path %s", tmp_dir); -- } -- return -1; -- } -- -- if (mount(tmp_dir, tmp_dir, "none", MS_BIND | MS_REMOUNT | MS_NOEXEC, NULL) != 0) { -- SYSERROR("Mount safe dir failed"); -- if (umount(tmp_dir) != 0) { -- ERROR("Failed to umount target %s", tmp_dir); -- } -+ if (bind_mount_with_flock(flock_path, dstdir, tmp_dir) != 0) { -+ ERROR("Failed to bind mount from %s to %s with flock", dstdir, tmp_dir); - if (util_path_remove(tmp_dir) != 0) { - ERROR("Failed to remove path %s", tmp_dir); - } -@@ -723,7 +790,7 @@ static void set_child_process_pdeathsig(void) - } - - int archive_unpack(const struct io_read_wrapper *content, const char *dstdir, const struct archive_options *options, -- char **errmsg) -+ const char *root_dir, char **errmsg) - { - int ret = 0; - pid_t pid = -1; -@@ -731,12 +798,24 @@ int archive_unpack(const struct io_read_wrapper *content, const char *dstdir, co - int pipe_stderr[2] = { -1, -1 }; - char errbuf[BUFSIZ + 1] = { 0 }; - char *safe_dir = NULL; -+ char *flock_path = NULL; - -- if (make_safedir_is_noexec(dstdir, &safe_dir) != 0) { -- ERROR("Prepare safe dir failed"); -+ if (content == NULL || dstdir == NULL || options == NULL || root_dir == NULL) { - return -1; - } - -+ flock_path = generate_flock_path(root_dir); -+ if (flock_path == NULL) { -+ ERROR("Failed to generate flock path"); -+ return -1; -+ } -+ -+ if (make_safedir_is_noexec(flock_path, dstdir, &safe_dir) != 0) { -+ ERROR("Prepare safe dir failed"); -+ ret = -1; -+ goto cleanup; -+ } -+ - if (pipe2(pipe_stderr, O_CLOEXEC) != 0) { - ERROR("Failed to create pipe"); - ret = -1; -@@ -816,6 +895,7 @@ cleanup: - ERROR("Failed to remove path %s", safe_dir); - } - free(safe_dir); -+ free(flock_path); - return ret; - } - -@@ -1126,7 +1206,7 @@ static ssize_t fd_write(void *context, const void *data, size_t len) - return util_write_nointr(*(int *)context, data, len); - } - --int archive_chroot_tar(char *path, char *file, char **errmsg) -+int archive_chroot_tar(const char *path, const char *file, const char *root_dir, char **errmsg) - { - struct io_write_wrapper pipe_context = { 0 }; - int ret = 0; -@@ -1136,12 +1216,24 @@ int archive_chroot_tar(char *path, char *file, char **errmsg) - char errbuf[BUFSIZ + 1] = { 0 }; - int fd = 0; - char *safe_dir = NULL; -+ char *flock_path = NULL; - -- if (make_safedir_is_noexec(path, &safe_dir) != 0) { -- ERROR("Prepare safe dir failed"); -+ if (path == NULL || file == NULL || root_dir == NULL) { -+ return -1; -+ } -+ -+ flock_path = generate_flock_path(root_dir); -+ if (flock_path == NULL) { -+ ERROR("Failed to generate flock path"); - return -1; - } - -+ if (make_safedir_is_noexec(flock_path, path, &safe_dir) != 0) { -+ ERROR("Prepare safe dir failed"); -+ ret = -1; -+ goto cleanup; -+ } -+ - if (pipe2(pipe_for_read, O_CLOEXEC) != 0) { - ERROR("Failed to create pipe"); - ret = -1; -@@ -1232,6 +1324,7 @@ cleanup: - ERROR("Failed to remove path %s", safe_dir); - } - free(safe_dir); -+ free(flock_path); - return ret; - } - -@@ -1352,7 +1445,7 @@ static int archive_context_close(void *context, char **err) - } - - int archive_chroot_untar_stream(const struct io_read_wrapper *context, const char *chroot_dir, const char *untar_dir, -- const char *src_base, const char *dst_base, char **errmsg) -+ const char *src_base, const char *dst_base, const char *root_dir, char **errmsg) - { - struct io_read_wrapper pipe_context = { 0 }; - int pipe_stream[2] = { -1, -1 }; -@@ -1370,12 +1463,19 @@ int archive_chroot_untar_stream(const struct io_read_wrapper *context, const cha - .dst_base = dst_base - }; - char *safe_dir = NULL; -+ char *flock_path = NULL; - -- if (make_safedir_is_noexec(chroot_dir, &safe_dir) != 0) { -- ERROR("Prepare safe dir failed"); -+ flock_path = generate_flock_path(root_dir); -+ if (flock_path == NULL) { -+ ERROR("Failed to generate flock path"); - return -1; - } - -+ if (make_safedir_is_noexec(flock_path, chroot_dir, &safe_dir) != 0) { -+ ERROR("Prepare safe dir failed"); -+ goto cleanup; -+ } -+ - if (pipe(pipe_stderr) != 0) { - ERROR("Failed to create pipe: %s", strerror(errno)); - goto cleanup; -@@ -1483,12 +1583,13 @@ cleanup: - ERROR("Failed to remove path %s", safe_dir); - } - free(safe_dir); -+ free(flock_path); - - return ret; - } - - int archive_chroot_tar_stream(const char *chroot_dir, const char *tar_path, const char *src_base, const char *dst_base, -- struct io_read_wrapper *reader) -+ const char *root_dir, struct io_read_wrapper *reader) - { - struct io_write_wrapper pipe_context = { 0 }; - int keepfds[] = { -1, -1, -1 }; -@@ -1498,12 +1599,19 @@ int archive_chroot_tar_stream(const char *chroot_dir, const char *tar_path, cons - pid_t pid; - struct archive_context *ctx = NULL; - char *safe_dir = NULL; -+ char *flock_path = NULL; - -- if (make_safedir_is_noexec(chroot_dir, &safe_dir) != 0) { -- ERROR("Prepare safe dir failed"); -+ flock_path = generate_flock_path(root_dir); -+ if (flock_path == NULL) { -+ ERROR("Failed to generate flock path"); - return -1; - } - -+ if (make_safedir_is_noexec(flock_path, chroot_dir, &safe_dir) != 0) { -+ ERROR("Prepare safe dir failed"); -+ goto free_out; -+ } -+ - if (pipe(pipe_stderr) != 0) { - ERROR("Failed to create pipe: %s", strerror(errno)); - goto free_out; -@@ -1607,6 +1715,7 @@ free_out: - close_archive_pipes_fd(pipe_stderr, 2); - close_archive_pipes_fd(pipe_stream, 2); - free(ctx); -+ free(flock_path); - if (safe_dir != NULL) { - if (umount(safe_dir) != 0) { - ERROR("Failed to umount target %s", safe_dir); -@@ -1848,4 +1957,4 @@ int archive_copy_oci_tar_split_and_ret_size(int src_fd, const char *dist_file, i - } - - return foreach_archive_entry(archive_entry_parse, src_fd, dist_file, ret_size); --} -\ No newline at end of file -+} -diff --git a/src/utils/tar/util_archive.h b/src/utils/tar/util_archive.h -index 5cc2c5ec..8f0ab2a4 100644 ---- a/src/utils/tar/util_archive.h -+++ b/src/utils/tar/util_archive.h -@@ -45,17 +45,17 @@ struct archive_options { - }; - - int archive_unpack(const struct io_read_wrapper *content, const char *dstdir, const struct archive_options *options, -- char **errmsg); -+ const char *root_dir, char **errmsg); - - bool valid_archive_format(const char *file); - --int archive_chroot_tar(char *path, char *file, char **errmsg); -+int archive_chroot_tar(const char *path, const char *file, const char *root_dir, char **errmsg); - - int archive_chroot_tar_stream(const char *chroot_dir, const char *tar_path, const char *src_base, -- const char *dst_base, struct io_read_wrapper *content); -+ const char *dst_base, const char *root_dir, struct io_read_wrapper *content); - int archive_chroot_untar_stream(const struct io_read_wrapper *content, const char *chroot_dir, - const char *untar_dir, const char *src_base, const char *dst_base, -- char **errmsg); -+ const char *root_dir, char **errmsg); - - int archive_copy_oci_tar_split_and_ret_size(int src_fd, const char *dist_file, int64_t *ret_size); - --- -2.25.1 - diff --git a/0005-doc-support-version-opt.patch b/0005-doc-support-version-opt.patch new file mode 100644 index 0000000..39ebd5a --- /dev/null +++ b/0005-doc-support-version-opt.patch @@ -0,0 +1,87 @@ +From e314c2ba64b6f7a8b88566e6c01fac791c8e4186 Mon Sep 17 00:00:00 2001 +From: liuxu +Date: Wed, 8 Nov 2023 16:03:50 +0800 +Subject: [PATCH 05/14] doc:support version opt + +--- + .../detailed/Network/cni_1.0.0_change.md | 24 ++++++++++++++++++- + .../detailed/Network/cni_operator_design.md | 8 +++++++ + .../Network/cni_operator_design_zh.md | 8 +++++++ + 3 files changed, 39 insertions(+), 1 deletion(-) + +diff --git a/docs/design/detailed/Network/cni_1.0.0_change.md b/docs/design/detailed/Network/cni_1.0.0_change.md +index 35dde2f7..a91225fb 100644 +--- a/docs/design/detailed/Network/cni_1.0.0_change.md ++++ b/docs/design/detailed/Network/cni_1.0.0_change.md +@@ -33,7 +33,29 @@ cni_net_conf_runtime_config; + ## 2. Execution Protocol + ### VERSION + +-VERSION操作用于检查插件支持的CNI规范的版本,在spec-v1.0.0中,它增加了输入参数cniVersion,iSulad未使用VERSION功能,因此不涉及。 ++VERSION操作用于检查插件支持的CNI规范的版本,在spec-v1.0.0中,它增加了输入参数cniVersion。 ++ ++整体时序: ++```mermaid ++sequenceDiagram ++ participant conf_bridge ++ participant cni_get_plugins_supported_version ++ participant cni_version_network_list ++ participant version_network ++ participant get_version_info ++ conf_bridge ->> cni_get_plugins_supported_version:post cni_net_conf_list ++ cni_get_plugins_supported_version ->> cni_version_network_list:post cni_net_conf_list ++ loop for each plugin ++ cni_version_network_list ->> version_network:post each cni_net_conf ++ version_network ->> get_version_info:post each cni_net_conf plugin path e.g. ++ get_version_info -->> version_network:get version_result ++ version_network -->> cni_version_network_list:get version_result ++ end ++ cni_version_network_list ->> cni_version_network_list:comb cni_version_info_list ++ cni_version_network_list -->> cni_get_plugins_supported_version:get cni_version_info_list ++ cni_get_plugins_supported_version ->> cni_get_plugins_supported_version:find the latest CNI version supported by all plugins ++ cni_get_plugins_supported_version -->> conf_bridge:get version ++``` + + ## 3. Execution of Network Configurations + +diff --git a/docs/design/detailed/Network/cni_operator_design.md b/docs/design/detailed/Network/cni_operator_design.md +index e77f4f94..64aaf2ed 100644 +--- a/docs/design/detailed/Network/cni_operator_design.md ++++ b/docs/design/detailed/Network/cni_operator_design.md +@@ -73,6 +73,14 @@ int detach_network_plane(const struct cni_manager *manager, const struct cni_net + * Return value: return 0 on success, non-zero on failure + */ + int check_network_plane(const struct cni_manager *manager, const struct cni_network_list_conf *list, struct cni_opt_result **result); ++ ++/* ++* Description: get the CNI version information supported by the plugins required for the single network plane of the container; ++* list: network configuration; ++* result_version_list: record the CNI version supported by the plugins; ++* Return value: return 0 on success, non-zero on failure ++*/ ++int version_network_plane(const struct cni_network_list_conf *list, struct cni_result_version_list **result_version_list); + ```` + + # 4. Detailed Design +diff --git a/docs/design/detailed/Network/cni_operator_design_zh.md b/docs/design/detailed/Network/cni_operator_design_zh.md +index ac88806e..6aa3c51a 100644 +--- a/docs/design/detailed/Network/cni_operator_design_zh.md ++++ b/docs/design/detailed/Network/cni_operator_design_zh.md +@@ -73,6 +73,14 @@ int detach_network_plane(const struct cni_manager *manager, const struct cni_net + * 返回值:成功返回0,失败返回非0 + */ + int check_network_plane(const struct cni_manager *manager, const struct cni_network_list_conf *list, struct cni_opt_result **result); ++ ++/* ++* 说明:获取容器单网络平面所需的插件支持的CNI版本信息; ++* list: 网络配置; ++* result_version_list:记录插件支持的CNI版本信息; ++* 返回值:成功返回0,失败返回非0 ++*/ ++int version_network_plane(const struct cni_network_list_conf *list, struct cni_result_version_list **result_version_list); + ``` + + # 4.详细设计 +-- +2.42.0 + diff --git a/0006-2168-fix-code-bug.patch b/0006-2168-fix-code-bug.patch deleted file mode 100644 index 68d3dac..0000000 --- a/0006-2168-fix-code-bug.patch +++ /dev/null @@ -1,1054 +0,0 @@ -From f6c1ec5c8603124511c7a726a487757609a1d7a5 Mon Sep 17 00:00:00 2001 -From: zhangxiaoyu -Date: Tue, 5 Sep 2023 02:15:57 +0000 -Subject: [PATCH 06/32] !2168 fix code bug * fix code bug - ---- - src/daemon/common/events_format.c | 6 +- - src/daemon/common/selinux_label.c | 22 +- - src/daemon/common/selinux_label.h | 8 +- - src/daemon/config/isulad_config.c | 276 ++++++++++-------- - src/daemon/config/isulad_config.h | 62 ++-- - src/daemon/executor/container_cb/execution.c | 4 +- - .../executor/container_cb/execution_create.c | 2 +- - .../executor/container_cb/execution_network.c | 9 + - .../executor/container_cb/execution_stream.h | 6 +- - src/daemon/executor/container_cb/list.c | 4 +- - src/daemon/executor/image_cb/image_cb.c | 18 +- - 11 files changed, 233 insertions(+), 184 deletions(-) - -diff --git a/src/daemon/common/events_format.c b/src/daemon/common/events_format.c -index e5ceab92..514b060e 100644 ---- a/src/daemon/common/events_format.c -+++ b/src/daemon/common/events_format.c -@@ -83,7 +83,11 @@ struct isulad_events_format *dup_event(const struct isulad_events_format *event) - return NULL; - } - -- event_copy(event, out); -+ if (event_copy(event, out) != 0) { -+ ERROR("Failed to copy event"); -+ isulad_events_format_free(out); -+ return NULL; -+ } - - return out; - } -diff --git a/src/daemon/common/selinux_label.c b/src/daemon/common/selinux_label.c -index 585a5e35..e6527bd0 100644 ---- a/src/daemon/common/selinux_label.c -+++ b/src/daemon/common/selinux_label.c -@@ -247,7 +247,7 @@ static int get_current_label(char **content) - return read_con(path, content); - } - --bool selinux_get_enable() -+bool selinux_get_enable(void) - { - bool enabled_set = false; - bool enabled = false; -@@ -295,7 +295,7 @@ bool selinux_get_enable() - } - - // just disable selinux support for iSulad --void selinux_set_disabled() -+void selinux_set_disabled(void) - { - (void)set_state_enable(false); - } -@@ -376,9 +376,10 @@ int selinux_state_init(void) - return 0; - } - --void selinux_state_free() -+void selinux_state_free(void) - { - do_selinux_state_free(g_selinux_state); -+ g_selinux_state = NULL; - } - - /* MCS already exists */ -@@ -986,6 +987,11 @@ int relabel(const char *path, const char *file_label, bool shared) - return 0; - } - -+ if (path == NULL) { -+ ERROR("Empty arguments"); -+ return -1; -+ } -+ - tmp_file_label = util_strdup_s(file_label); - if (is_exclude_relabel_path(path)) { - ERROR("SELinux relabeling of %s is not allowed", path); -@@ -1059,6 +1065,11 @@ int dup_security_opt(const char *src, char ***dst, size_t *len) - return 0; - } - -+ if (dst == NULL || len == NULL) { -+ ERROR("Empty arguments"); -+ return -1; -+ } -+ - context_t con = context_new(src); - if (con == NULL) { - ERROR("context new failed"); -@@ -1107,6 +1118,11 @@ out: - - int get_disable_security_opt(char ***labels, size_t *labels_len) - { -+ if (labels == NULL || labels_len == NULL) { -+ ERROR("Empty arguments"); -+ return -1; -+ } -+ - if (util_array_append(labels, "disable") != 0) { - ERROR("Failed to append label"); - return -1; -diff --git a/src/daemon/common/selinux_label.h b/src/daemon/common/selinux_label.h -index 625e94c3..4a3c03d4 100644 ---- a/src/daemon/common/selinux_label.h -+++ b/src/daemon/common/selinux_label.h -@@ -24,14 +24,14 @@ extern "C" { - #endif - - int selinux_state_init(void); --void selinux_set_disabled(); --bool selinux_get_enable(); --int init_label(const char **label_opts, size_t label_opts_len, char **process_label, char **mount_label); -+void selinux_set_disabled(void); -+bool selinux_get_enable(void); -+int init_label(const char **label_opts, size_t label_opts_len, char **dst_process_label, char **dst_mount_label); - int relabel(const char *path, const char *file_label, bool shared); - int get_disable_security_opt(char ***labels, size_t *labels_len); - int dup_security_opt(const char *src, char ***dst, size_t *len); - char *selinux_format_mountlabel(const char *src, const char *mount_label); --void selinux_state_free(); -+void selinux_state_free(void); - #ifdef __cplusplus - } - #endif -diff --git a/src/daemon/config/isulad_config.c b/src/daemon/config/isulad_config.c -index 269ab310..f600f0cf 100644 ---- a/src/daemon/config/isulad_config.c -+++ b/src/daemon/config/isulad_config.c -@@ -125,7 +125,7 @@ out: - } - - /* isulad server conf wrlock */ --int isulad_server_conf_wrlock() -+int isulad_server_conf_wrlock(void) - { - int ret = 0; - -@@ -138,7 +138,7 @@ int isulad_server_conf_wrlock() - } - - /* isulad server conf rdlock */ --int isulad_server_conf_rdlock() -+int isulad_server_conf_rdlock(void) - { - int ret = 0; - -@@ -151,7 +151,7 @@ int isulad_server_conf_rdlock() - } - - /* isulad server conf unlock */ --int isulad_server_conf_unlock() -+int isulad_server_conf_unlock(void) - { - int ret = 0; - -@@ -163,13 +163,13 @@ int isulad_server_conf_unlock() - return ret; - } - --struct service_arguments *conf_get_server_conf() -+struct service_arguments *conf_get_server_conf(void) - { - return g_isulad_conf.server_conf; - } - - /* conf get isulad pidfile */ --char *conf_get_isulad_pidfile() -+char *conf_get_isulad_pidfile(void) - { - char *filename = NULL; - struct service_arguments *conf = NULL; -@@ -191,7 +191,7 @@ out: - } - - /* conf get engine rootpath */ --char *conf_get_engine_rootpath() -+char *conf_get_engine_rootpath(void) - { - char *epath = NULL; - char *rootpath = NULL; -@@ -238,7 +238,7 @@ int conf_get_cgroup_cpu_rt(int64_t *cpu_rt_period, int64_t *cpu_rt_runtime) - } - - conf = conf_get_server_conf(); -- if (conf == NULL) { -+ if (conf == NULL || conf->json_confs == NULL) { - (void)isulad_server_conf_unlock(); - return -1; - } -@@ -254,7 +254,7 @@ int conf_get_cgroup_cpu_rt(int64_t *cpu_rt_period, int64_t *cpu_rt_runtime) - } - - /* conf get graph checked flag file path */ --char *conf_get_graph_check_flag_file() -+char *conf_get_graph_check_flag_file(void) - { - char *epath = NULL; - char *rootpath = NULL; -@@ -307,7 +307,7 @@ char *conf_get_routine_rootdir(const char *runtime) - } - - conf = conf_get_server_conf(); -- if (conf == NULL || conf->json_confs->graph == NULL) { -+ if (conf == NULL || conf->json_confs == NULL || conf->json_confs->graph == NULL) { - ERROR("Server conf is NULL or rootpath is NULL"); - goto out; - } -@@ -357,7 +357,7 @@ char *conf_get_routine_statedir(const char *runtime) - } - - conf = conf_get_server_conf(); -- if (conf == NULL || conf->json_confs->state == NULL) { -+ if (conf == NULL || conf->json_confs == NULL || conf->json_confs->state == NULL) { - goto out; - } - -@@ -460,7 +460,7 @@ out: - #endif - - /* conf get isulad rootdir */ --char *conf_get_isulad_rootdir() -+char *conf_get_isulad_rootdir(void) - { - char *path = NULL; - struct service_arguments *conf = NULL; -@@ -470,7 +470,7 @@ char *conf_get_isulad_rootdir() - } - - conf = conf_get_server_conf(); -- if (conf == NULL || conf->json_confs->graph == NULL) { -+ if (conf == NULL || conf->json_confs == NULL || conf->json_confs->graph == NULL) { - goto out; - } - -@@ -482,7 +482,7 @@ out: - } - - /* conf get registry */ --char **conf_get_registry_list() -+char **conf_get_registry_list(void) - { - int nret = 0; - size_t i; -@@ -495,7 +495,7 @@ char **conf_get_registry_list() - } - - conf = conf_get_server_conf(); -- if (conf == NULL || conf->json_confs->registry_mirrors_len == 0) { -+ if (conf == NULL || conf->json_confs == NULL || conf->json_confs->registry_mirrors_len == 0) { - goto out; - } - -@@ -518,7 +518,7 @@ out: - } - - /* conf get insecure registry */ --char **conf_get_insecure_registry_list() -+char **conf_get_insecure_registry_list(void) - { - int nret = 0; - size_t i; -@@ -531,7 +531,7 @@ char **conf_get_insecure_registry_list() - } - - conf = conf_get_server_conf(); -- if (conf == NULL || conf->json_confs->insecure_registries_len == 0) { -+ if (conf == NULL || conf->json_confs == NULL || conf->json_confs->insecure_registries_len == 0) { - goto out; - } - -@@ -554,7 +554,7 @@ out: - } - - /* conf get isulad statedir */ --char *conf_get_isulad_statedir() -+char *conf_get_isulad_statedir(void) - { - char *path = NULL; - struct service_arguments *conf = NULL; -@@ -564,7 +564,7 @@ char *conf_get_isulad_statedir() - } - - conf = conf_get_server_conf(); -- if (conf == NULL || conf->json_confs->state == NULL) { -+ if (conf == NULL || conf->json_confs == NULL || conf->json_confs->state == NULL) { - goto out; - } - -@@ -576,7 +576,7 @@ out: - } - - /* isulad monitor fifo name */ --char *conf_get_isulad_monitor_fifo_path() -+char *conf_get_isulad_monitor_fifo_path(void) - { - int ret; - char fifo_file_path[PATH_MAX] = { 0 }; -@@ -631,7 +631,7 @@ static char *get_parent_mount_dir(char *graph) - } - - /* conf get isulad mount rootfs */ --char *conf_get_isulad_mount_rootfs() -+char *conf_get_isulad_mount_rootfs(void) - { - char *path = NULL; - struct service_arguments *conf = NULL; -@@ -653,7 +653,7 @@ out: - } - - /* conf get isulad umask for containers */ --char *conf_get_isulad_native_umask() -+char *conf_get_isulad_native_umask(void) - { - char *umask = NULL; - struct service_arguments *conf = NULL; -@@ -663,7 +663,7 @@ char *conf_get_isulad_native_umask() - } - - conf = conf_get_server_conf(); -- if (conf == NULL || conf->json_confs->native_umask == NULL) { -+ if (conf == NULL || conf->json_confs == NULL || conf->json_confs->native_umask == NULL) { - goto out; - } - -@@ -675,7 +675,7 @@ out: - } - - /* conf get isulad cgroup parent for containers */ --char *conf_get_isulad_cgroup_parent() -+char *conf_get_isulad_cgroup_parent(void) - { - char *cgroup_parent = NULL; - struct service_arguments *conf = NULL; -@@ -685,7 +685,7 @@ char *conf_get_isulad_cgroup_parent() - } - - conf = conf_get_server_conf(); -- if (conf == NULL || conf->json_confs->cgroup_parent == NULL) { -+ if (conf == NULL || conf->json_confs == NULL || conf->json_confs->cgroup_parent == NULL) { - goto out; - } - -@@ -697,7 +697,7 @@ out: - } - - /* conf get isulad loglevel */ --char *conf_get_isulad_loglevel() -+char *conf_get_isulad_loglevel(void) - { - char *loglevel = NULL; - struct service_arguments *conf = NULL; -@@ -707,7 +707,7 @@ char *conf_get_isulad_loglevel() - } - - conf = conf_get_server_conf(); -- if (conf == NULL || conf->json_confs->log_level == NULL) { -+ if (conf == NULL || conf->json_confs == NULL || conf->json_confs->log_level == NULL) { - goto out; - } - -@@ -725,7 +725,7 @@ char *get_log_file_helper(const struct service_arguments *conf, const char *suff - size_t len = 0; - int nret = 0; - -- if (suffix == NULL) { -+ if (conf == NULL || suffix == NULL) { - return NULL; - } - -@@ -757,7 +757,7 @@ out: - } - - /* conf get isulad log gather fifo path */ --char *conf_get_isulad_log_gather_fifo_path() -+char *conf_get_isulad_log_gather_fifo_path(void) - { - #define LOG_GATHER_FIFO_NAME "/isulad_log_gather_fifo" - char *logfile = NULL; -@@ -796,7 +796,7 @@ out: - } - - /* conf get isulad log file */ --char *conf_get_isulad_log_file() -+char *conf_get_isulad_log_file(void) - { - char *logfile = NULL; - struct service_arguments *conf = NULL; -@@ -818,7 +818,7 @@ out: - } - - /* conf get engine log file */ --char *conf_get_engine_log_file() -+char *conf_get_engine_log_file(void) - { - char *logfile = NULL; - char *full_path = NULL; -@@ -885,7 +885,7 @@ int conf_get_daemon_log_config(char **loglevel, char **logdriver, char **engine_ - } - - /* conf get isulad logdriver */ --char *conf_get_isulad_logdriver() -+char *conf_get_isulad_logdriver(void) - { - char *logdriver = NULL; - struct service_arguments *conf = NULL; -@@ -895,7 +895,7 @@ char *conf_get_isulad_logdriver() - } - - conf = conf_get_server_conf(); -- if (conf == NULL || conf->json_confs->log_driver == NULL) { -+ if (conf == NULL || conf->json_confs == NULL || conf->json_confs->log_driver == NULL) { - goto out; - } - -@@ -915,12 +915,17 @@ int conf_get_container_log_opts(isulad_daemon_configs_container_log **opts) - size_t i; - int ret = 0; - -+ if (opts == NULL) { -+ ERROR("Empty arguments"); -+ return -1; -+ } -+ - if (isulad_server_conf_rdlock() != 0) { - return -1; - } - - conf = conf_get_server_conf(); -- if (conf == NULL || conf->json_confs->container_log == NULL) { -+ if (conf == NULL || conf->json_confs == NULL || conf->json_confs->container_log == NULL) { - goto out; - } - work = conf->json_confs->container_log; -@@ -962,7 +967,7 @@ out: - } - - /* conf get image layer check flag */ --bool conf_get_image_layer_check_flag() -+bool conf_get_image_layer_check_flag(void) - { - bool check_flag = false; - struct service_arguments *conf = NULL; -@@ -972,7 +977,7 @@ bool conf_get_image_layer_check_flag() - } - - conf = conf_get_server_conf(); -- if (conf == NULL) { -+ if (conf == NULL || conf->json_confs == NULL) { - goto out; - } - -@@ -984,7 +989,7 @@ out: - } - - /* conf get flag of use decrypted key to pull image */ --bool conf_get_use_decrypted_key_flag() -+bool conf_get_use_decrypted_key_flag(void) - { - bool check_flag = true; - struct service_arguments *conf = NULL; -@@ -994,7 +999,7 @@ bool conf_get_use_decrypted_key_flag() - } - - conf = conf_get_server_conf(); -- if (conf == NULL || conf->json_confs->use_decrypted_key == NULL) { -+ if (conf == NULL || conf->json_confs == NULL || conf->json_confs->use_decrypted_key == NULL) { - goto out; - } - -@@ -1005,7 +1010,7 @@ out: - return check_flag; - } - --bool conf_get_skip_insecure_verify_flag() -+bool conf_get_skip_insecure_verify_flag(void) - { - bool check_flag = false; - struct service_arguments *conf = NULL; -@@ -1015,7 +1020,7 @@ bool conf_get_skip_insecure_verify_flag() - } - - conf = conf_get_server_conf(); -- if (conf == NULL) { -+ if (conf == NULL || conf->json_confs == NULL) { - goto out; - } - -@@ -1026,69 +1031,86 @@ out: - return check_flag; - } - --#define OCI_STR_ARRAY_DUP(src, dest, srclen, destlen, ret) \ -- do { \ -- if ((src) != NULL) { \ -- (dest) = util_str_array_dup((const char **)(src), (srclen)); \ -- if ((dest) == NULL) { \ -- (ret) = -1; \ -- goto out; \ -- } \ -- (destlen) = (srclen); \ -- } \ -- } while (0) -- --#define HOOKS_ELEM_DUP_DEF(item) \ -- defs_hook *hooks_##item##_elem_dup(const defs_hook *src) \ -- { \ -- int ret = 0; \ -- defs_hook *dest = NULL; \ -- if (src == NULL) \ -- return NULL; \ -- dest = util_common_calloc_s(sizeof(defs_hook)); \ -- if (dest == NULL) \ -- return NULL; \ -- dest->path = util_strdup_s(src->path); \ -- OCI_STR_ARRAY_DUP(src->args, dest->args, src->args_len, dest->args_len, ret); \ -- OCI_STR_ARRAY_DUP(src->env, dest->env, src->env_len, dest->env_len, ret); \ -- dest->timeout = src->timeout; \ -- out: \ -- if (ret != 0 && dest != NULL) { \ -- free_defs_hook(dest); \ -- dest = NULL; \ -- } \ -- return dest; \ -- } -- --/* HOOKS ELEM DUP DEF */ --HOOKS_ELEM_DUP_DEF(prestart) --/* HOOKS ELEM DUP DEF */ --HOOKS_ELEM_DUP_DEF(poststart) --/* HOOKS ELEM DUP DEF */ --HOOKS_ELEM_DUP_DEF(poststop) -- --#define HOOKS_ITEM_DUP_DEF(item) \ -- int hooks_##item##_dup(oci_runtime_spec_hooks *dest, const oci_runtime_spec_hooks *src) \ -- { \ -- int i = 0; \ -- dest->item = util_smart_calloc_s(sizeof(defs_hook *), (src->item##_len + 1)); \ -- if (dest->item == NULL) \ -- return -1; \ -- dest->item##_len = src->item##_len; \ -- for (; (size_t)i < src->item##_len; ++i) { \ -- dest->item[i] = hooks_##item##_elem_dup(src->item[i]); \ -- if (dest->item[i] == NULL) \ -- return -1; \ -- } \ -- return 0; \ -- } -- --/* HOOKS ITEM DUP DEF */ --HOOKS_ITEM_DUP_DEF(prestart) --/* HOOKS ITEM DUP DEF */ --HOOKS_ITEM_DUP_DEF(poststart) --/* HOOKS ITEM DUP DEF */ --HOOKS_ITEM_DUP_DEF(poststop) -+static defs_hook *hooks_elem_dup(const defs_hook *src) -+{ -+ defs_hook *dest = NULL; -+ -+ if (src == NULL) { -+ return NULL; -+ } -+ -+ dest = (defs_hook *)util_common_calloc_s(sizeof(defs_hook)); -+ if (dest == NULL) { -+ ERROR("Out of memory"); -+ return NULL; -+ } -+ -+ dest->path = util_strdup_s(src->path); -+ dest->timeout = src->timeout; -+ -+ if (src->args_len != 0) { -+ dest->args = util_str_array_dup((const char **)(src->args), src->args_len); -+ if (dest->args == NULL) { -+ ERROR("Failed to duplicate string array"); -+ goto err_out; -+ } -+ dest->args_len = src->args_len; -+ } -+ -+ if (src->env_len != 0) { -+ dest->env = util_str_array_dup((const char **)(src->env), src->env_len); -+ if (dest->env == NULL) { -+ ERROR("Failed to duplicate string array"); -+ goto err_out; -+ } -+ dest->env_len = src->env_len; -+ } -+ -+ return dest; -+ -+err_out: -+ free_defs_hook(dest); -+ return NULL; -+} -+ -+static int hooks_array_dup(const defs_hook **src, const size_t src_len, defs_hook ***dst, size_t *dst_len) -+{ -+ size_t i; -+ size_t tmp_len = 0; -+ defs_hook **tmp_dst = NULL; -+ -+ if (src_len > SIZE_MAX - 1) { -+ ERROR("Invalid hooks array length"); -+ return -1; -+ } -+ -+ tmp_dst = (defs_hook **)util_smart_calloc_s(sizeof(defs_hook *), src_len + 1); -+ if (tmp_dst == NULL) { -+ ERROR("Out of memory"); -+ return -1; -+ } -+ -+ for(i = 0; i < src_len; i++) { -+ tmp_dst[i] = hooks_elem_dup(src[i]); -+ if (tmp_dst[i] == NULL) { -+ ERROR("Failed to duplicate hooks element"); -+ goto err_out; -+ } -+ tmp_len++; -+ } -+ -+ *dst = tmp_dst; -+ *dst_len = tmp_len; -+ return 0; -+ -+err_out: -+ for(i = 0; i < tmp_len; i++) { -+ free_defs_hook(tmp_dst[i]); -+ } -+ free(tmp_dst); -+ -+ return -1; -+} - - /* hooks_dup */ - oci_runtime_spec_hooks *hooks_dup(const oci_runtime_spec_hooks *src) -@@ -1104,17 +1126,17 @@ oci_runtime_spec_hooks *hooks_dup(const oci_runtime_spec_hooks *src) - return NULL; - } - -- ret = hooks_prestart_dup(dest, src); -+ ret = hooks_array_dup((const defs_hook **)src->prestart, src->prestart_len, &dest->prestart, &dest->prestart_len); - if (ret != 0) { - goto out; - } - -- ret = hooks_poststart_dup(dest, src); -+ ret = hooks_array_dup((const defs_hook **)src->poststart, src->poststart_len, &dest->poststart, &dest->poststart_len); - if (ret != 0) { - goto out; - } - -- ret = hooks_poststop_dup(dest, src); -+ ret = hooks_array_dup((const defs_hook **)src->poststop, src->poststop_len, &dest->poststop, &dest->poststop_len); - - out: - if (ret != 0) { -@@ -1130,6 +1152,11 @@ int conf_get_isulad_hooks(oci_runtime_spec_hooks **phooks) - int ret = 0; - struct service_arguments *conf = NULL; - -+ if (phooks == NULL) { -+ ERROR("Empty arguments"); -+ return -1; -+ } -+ - if (isulad_server_conf_rdlock() != 0) { - return -1; - } -@@ -1184,7 +1211,7 @@ out: - } - - /* conf get start timeout */ --unsigned int conf_get_start_timeout() -+unsigned int conf_get_start_timeout(void) - { - struct service_arguments *conf = NULL; - unsigned int ret = 0; -@@ -1204,7 +1231,7 @@ out: - return ret; - } - --char *conf_get_default_runtime() -+char *conf_get_default_runtime(void) - { - struct service_arguments *conf = NULL; - char *result = NULL; -@@ -1226,7 +1253,7 @@ out: - return result; - } - --char *conf_get_enable_plugins() -+char *conf_get_enable_plugins(void) - { - struct service_arguments *conf = NULL; - char *plugins = NULL; -@@ -1249,7 +1276,7 @@ out: - } - - #ifdef ENABLE_USERNS_REMAP --char *conf_get_isulad_userns_remap() -+char *conf_get_isulad_userns_remap(void) - { - struct service_arguments *conf = NULL; - char *userns_remap = NULL; -@@ -1335,7 +1362,7 @@ int conf_get_cni_bin_dir(char ***dst) - } - - /* conf get websocket server listening port */ --int32_t conf_get_websocket_server_listening_port() -+int32_t conf_get_websocket_server_listening_port(void) - { - int32_t port = 0; - struct service_arguments *conf = NULL; -@@ -1345,7 +1372,7 @@ int32_t conf_get_websocket_server_listening_port() - } - - conf = conf_get_server_conf(); -- if (conf == NULL) { -+ if (conf == NULL || conf->json_confs == NULL) { - goto out; - } - -@@ -1401,6 +1428,10 @@ int set_unix_socket_group(const char *socket, const char *group) - return -1; - } - -+ if (!util_has_prefix(socket, UNIX_SOCKET_PREFIX)) { -+ ERROR("Invalid unix socket: %s", socket); -+ return -1; -+ } - path = socket + strlen(UNIX_SOCKET_PREFIX); - - if (strlen(path) > PATH_MAX || realpath(path, rpath) == NULL) { -@@ -1430,15 +1461,6 @@ out: - return ret; - } - --#define OVERRIDE_STRING_VALUE(dst, src) \ -- do { \ -- if ((src) != NULL && strlen((src)) != 0) { \ -- free((dst)); \ -- (dst) = (src); \ -- (src) = NULL; \ -- } \ -- } while (0) -- - static int string_array_append(char **suffix, size_t suffix_len, size_t *curr_len, char ***result) - { - if (suffix_len > 0) { -@@ -1463,6 +1485,11 @@ int parse_log_opts(struct service_arguments *args, const char *key, const char * - { - int ret = -1; - -+ if (args == NULL) { -+ ERROR("Empty arguments"); -+ return -1; -+ } -+ - if (key == NULL || value == NULL) { - return 0; - } -@@ -1682,6 +1709,11 @@ int merge_json_confs_into_global(struct service_arguments *args) - parser_error err = NULL; - int ret = 0; - -+ if (args == NULL) { -+ ERROR("Empty arguments"); -+ return -1; -+ } -+ - tmp_json_confs = isulad_daemon_configs_parse_file(ISULAD_DAEMON_JSON_CONF_FILE, NULL, &err); - if (tmp_json_confs == NULL) { - COMMAND_ERROR("Load isulad json config failed: %s", err != NULL ? err : ""); -@@ -1828,7 +1860,7 @@ static bool valid_isulad_daemon_constants(isulad_daemon_constants *config) - return true; - } - --int init_isulad_daemon_constants() -+int init_isulad_daemon_constants(void) - { - parser_error err = NULL; - int ret = 0; -@@ -1855,7 +1887,7 @@ out: - return ret; - } - --isulad_daemon_constants *get_isulad_daemon_constants() -+isulad_daemon_constants *get_isulad_daemon_constants(void) - { - return g_isulad_daemon_constants; - } -diff --git a/src/daemon/config/isulad_config.h b/src/daemon/config/isulad_config.h -index 92edd6e0..4fe1acdc 100644 ---- a/src/daemon/config/isulad_config.h -+++ b/src/daemon/config/isulad_config.h -@@ -42,43 +42,43 @@ char *conf_get_sandbox_rootpath(void); - char *conf_get_sandbox_statepath(void); - #endif - --char *conf_get_isulad_pidfile(); --char *conf_get_engine_rootpath(); -+char *conf_get_isulad_pidfile(void); -+char *conf_get_engine_rootpath(void); - char *conf_get_routine_rootdir(const char *runtime); - char *conf_get_routine_statedir(const char *runtime); --char *conf_get_isulad_rootdir(); --char *conf_get_isulad_statedir(); --char *conf_get_isulad_mount_rootfs(); --char *conf_get_isulad_loglevel(); --char *conf_get_isulad_logdriver(); -+char *conf_get_isulad_rootdir(void); -+char *conf_get_isulad_statedir(void); -+char *conf_get_isulad_mount_rootfs(void); -+char *conf_get_isulad_loglevel(void); -+char *conf_get_isulad_logdriver(void); - int conf_get_daemon_log_config(char **loglevel, char **logdriver, char **engine_log_path); --char *conf_get_isulad_log_gather_fifo_path(); -+char *conf_get_isulad_log_gather_fifo_path(void); - - int conf_get_cgroup_cpu_rt(int64_t *cpu_rt_period, int64_t *cpu_rt_runtime); - - int conf_get_container_log_opts(isulad_daemon_configs_container_log **opts); - --char *conf_get_isulad_log_file(); --char *conf_get_engine_log_file(); --char *conf_get_enable_plugins(); -+char *conf_get_isulad_log_file(void); -+char *conf_get_engine_log_file(void); -+char *conf_get_enable_plugins(void); - #ifdef ENABLE_USERNS_REMAP --char *conf_get_isulad_userns_remap(); -+char *conf_get_isulad_userns_remap(void); - #endif --char *conf_get_cni_conf_dir(); -+char *conf_get_cni_conf_dir(void); - int conf_get_cni_bin_dir(char ***dst); --int32_t conf_get_websocket_server_listening_port(); -+int32_t conf_get_websocket_server_listening_port(void); - - int save_args_to_conf(struct service_arguments *args); - - int set_unix_socket_group(const char *socket, const char *group); - --int isulad_server_conf_wrlock(); -+int isulad_server_conf_wrlock(void); - --int isulad_server_conf_rdlock(); -+int isulad_server_conf_rdlock(void); - --int isulad_server_conf_unlock(); -+int isulad_server_conf_unlock(void); - --struct service_arguments *conf_get_server_conf(); -+struct service_arguments *conf_get_server_conf(void); - - int get_system_cpu_usage(uint64_t *val); - -@@ -86,31 +86,31 @@ int conf_get_isulad_hooks(oci_runtime_spec_hooks **phooks); - - int conf_get_isulad_default_ulimit(host_config_ulimits_element ***ulimit); - --unsigned int conf_get_start_timeout(); -+unsigned int conf_get_start_timeout(void); - --char **conf_get_insecure_registry_list(); -+char **conf_get_insecure_registry_list(void); - --char **conf_get_registry_list(); --char *conf_get_isulad_native_umask(); -+char **conf_get_registry_list(void); -+char *conf_get_isulad_native_umask(void); - --char *conf_get_isulad_cgroup_parent(); -+char *conf_get_isulad_cgroup_parent(void); - --char *conf_get_default_runtime(); -+char *conf_get_default_runtime(void); - --char *conf_get_graph_check_flag_file(); -+char *conf_get_graph_check_flag_file(void); - --bool conf_get_image_layer_check_flag(); -+bool conf_get_image_layer_check_flag(void); - - int merge_json_confs_into_global(struct service_arguments *args); - --bool conf_get_use_decrypted_key_flag(); --bool conf_get_skip_insecure_verify_flag(); -+bool conf_get_use_decrypted_key_flag(void); -+bool conf_get_skip_insecure_verify_flag(void); - int parse_log_opts(struct service_arguments *args, const char *key, const char *value); - --char *conf_get_isulad_monitor_fifo_path(); -+char *conf_get_isulad_monitor_fifo_path(void); - --int init_isulad_daemon_constants(); --isulad_daemon_constants *get_isulad_daemon_constants(); -+int init_isulad_daemon_constants(void); -+isulad_daemon_constants *get_isulad_daemon_constants(void); - - #ifdef __cplusplus - } -diff --git a/src/daemon/executor/container_cb/execution.c b/src/daemon/executor/container_cb/execution.c -index ca4061b4..dbfec59e 100644 ---- a/src/daemon/executor/container_cb/execution.c -+++ b/src/daemon/executor/container_cb/execution.c -@@ -912,8 +912,8 @@ static int container_kill_cb(const container_kill_request *request, container_ki - } - - if (!util_valid_signal((int)signal)) { -- isulad_set_error_message("Not supported signal %d", signal); -- ERROR("Not supported signal %d", signal); -+ isulad_set_error_message("Not supported signal %u", signal); -+ ERROR("Not supported signal %u", signal); - cc = ISULAD_ERR_EXEC; - goto pack_response; - } -diff --git a/src/daemon/executor/container_cb/execution_create.c b/src/daemon/executor/container_cb/execution_create.c -index c65aa281..9c097121 100644 ---- a/src/daemon/executor/container_cb/execution_create.c -+++ b/src/daemon/executor/container_cb/execution_create.c -@@ -706,7 +706,7 @@ out: - free(runtime_root); - free(runtime_stat); - if (ret != 0) { -- /* fail, do not use the input v2 spec, host spec and network settings, the memeory will be free by caller*/ -+ /* fail, do not use the input v2 spec, host spec and network settings, the memeory will be free by caller */ - if (cont != NULL) { - cont->common_config = NULL; - cont->hostconfig = NULL; -diff --git a/src/daemon/executor/container_cb/execution_network.c b/src/daemon/executor/container_cb/execution_network.c -index 1ff360f2..ce924332 100644 ---- a/src/daemon/executor/container_cb/execution_network.c -+++ b/src/daemon/executor/container_cb/execution_network.c -@@ -81,11 +81,20 @@ out: - - static int fopen_network(FILE **fp, char **file_path, const char *rootfs, const char *filename) - { -+ int64_t size = 0; -+ - if (util_realpath_in_scope(rootfs, filename, file_path) < 0) { - SYSERROR("Failed to get real path '%s' under rootfs '%s'", filename, rootfs); - isulad_set_error_message("Failed to get real path '%s' under rootfs '%s'", filename, rootfs); - return -1; - } -+ -+ size = util_file_size(*file_path); -+ if (size > REGULAR_FILE_SIZE) { -+ ERROR("Target file '%s', size exceed limit: %lld", *file_path, REGULAR_FILE_SIZE); -+ return -1; -+ } -+ - *fp = util_fopen(*file_path, "a+"); - if (*fp == NULL) { - SYSERROR("Failed to open %s", *file_path); -diff --git a/src/daemon/executor/container_cb/execution_stream.h b/src/daemon/executor/container_cb/execution_stream.h -index 227cc2c3..c0dba7d0 100644 ---- a/src/daemon/executor/container_cb/execution_stream.h -+++ b/src/daemon/executor/container_cb/execution_stream.h -@@ -1,6 +1,3 @@ --#ifndef DAEMON_EXECUTOR_CONTAINER_CB_EXECUTION_STREAM_H --#define DAEMON_EXECUTOR_CONTAINER_CB_EXECUTION_STREAM_H -- - /****************************************************************************** - * Copyright (c) Huawei Technologies Co., Ltd. 2017-2019. All rights reserved. - * iSulad licensed under the Mulan PSL v2. -@@ -16,6 +13,9 @@ - * Description: provide container list callback function definition - *********************************************************************************/ - -+#ifndef DAEMON_EXECUTOR_CONTAINER_CB_EXECUTION_STREAM_H -+#define DAEMON_EXECUTOR_CONTAINER_CB_EXECUTION_STREAM_H -+ - #include "callback.h" - - #ifdef __cplusplus -diff --git a/src/daemon/executor/container_cb/list.c b/src/daemon/executor/container_cb/list.c -index 539a1314..243eb4d2 100644 ---- a/src/daemon/executor/container_cb/list.c -+++ b/src/daemon/executor/container_cb/list.c -@@ -164,14 +164,14 @@ static int append_ids(const map_t *matches, char ***filtered_ids) - return 0; - } - --static int insert_matched_id(char **ids, map_t *matches, void *value, size_t ids_len) -+static int insert_matched_id(char **ids, map_t *matches, bool *value, size_t ids_len) - { - size_t i; - - for (i = 0; i < ids_len; i++) { - container_t *cont = containers_store_get_by_prefix(ids[i]); - if (cont != NULL) { -- bool inserted = map_insert(matches, cont->common_config->id, value); -+ bool inserted = map_insert(matches, (void *)cont->common_config->id, (void *)value); - container_unref(cont); - if (!inserted) { - ERROR("Insert map failed: %s", ids[i]); -diff --git a/src/daemon/executor/image_cb/image_cb.c b/src/daemon/executor/image_cb/image_cb.c -index 124feb21..61fa29db 100644 ---- a/src/daemon/executor/image_cb/image_cb.c -+++ b/src/daemon/executor/image_cb/image_cb.c -@@ -597,7 +597,7 @@ static int trans_one_image(image_list_images_response *response, size_t image_in - goto out; - } - -- if (!unix_nanos_to_timestamp(created_nanos, ×tamp) != 0) { -+ if (!unix_nanos_to_timestamp(created_nanos, ×tamp)) { - ERROR("Failed to translate nanos to timestamp"); - ret = -1; - goto out; -@@ -673,19 +673,6 @@ out: - return ret; - } - --static im_list_request *image_list_context_new(const image_list_images_request *request) --{ -- im_list_request *ctx = NULL; -- -- ctx = util_common_calloc_s(sizeof(im_list_request)); -- if (ctx == NULL) { -- ERROR("Out of memory"); -- return NULL; -- } -- -- return ctx; --} -- - #ifdef ENABLE_OCI_IMAGE - struct image_list_context { - struct filters_args *image_filters; -@@ -731,11 +718,12 @@ static im_list_request *fold_filter(const image_list_images_request *request) - { - im_list_request *ctx = NULL; - -- ctx = image_list_context_new(request); -+ ctx = (im_list_request *)util_common_calloc_s(sizeof(im_list_request)); - if (ctx == NULL) { - ERROR("Out of memory"); - goto error_out; - } -+ - #ifdef ENABLE_OCI_IMAGE - size_t i; - if (request->filters == NULL) { --- -2.25.1 - diff --git a/0006-2242-disable-grpc-remote-connect-by-default.patch b/0006-2242-disable-grpc-remote-connect-by-default.patch new file mode 100644 index 0000000..8fa1bb0 --- /dev/null +++ b/0006-2242-disable-grpc-remote-connect-by-default.patch @@ -0,0 +1,26 @@ +From ee928d5af7ab7c42ee4597e1b6ae5871767c165d Mon Sep 17 00:00:00 2001 +From: zhongtao +Date: Mon, 13 Nov 2023 03:04:35 +0000 +Subject: [PATCH 06/14] !2242 disable grpc remote connect by default * disable + grpc remote connect by default + +--- + cmake/options.cmake | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/cmake/options.cmake b/cmake/options.cmake +index 8f1dfbbe..aeb24662 100644 +--- a/cmake/options.cmake ++++ b/cmake/options.cmake +@@ -106,7 +106,7 @@ if (ENABLE_SELINUX STREQUAL "ON") + message("${Green}-- Enable selinux${ColourReset}") + endif() + +-option(ENABLE_GRPC_REMOTE_CONNECT "enable gRPC remote connect" ON) ++option(ENABLE_GRPC_REMOTE_CONNECT "enable gRPC remote connect" OFF) + if (ENABLE_GRPC_REMOTE_CONNECT STREQUAL "ON") + add_definitions(-DENABLE_GRPC_REMOTE_CONNECT=1) + set(ENABLE_GRPC_REMOTE_CONNECT 1) +-- +2.42.0 + diff --git a/0007-2171-Fix-nullptr-in-src-daemon-entry.patch b/0007-2171-Fix-nullptr-in-src-daemon-entry.patch deleted file mode 100644 index 9e285ec..0000000 --- a/0007-2171-Fix-nullptr-in-src-daemon-entry.patch +++ /dev/null @@ -1,1807 +0,0 @@ -From 290758ba7ee8ce9b1696628ee207bceed847d2d3 Mon Sep 17 00:00:00 2001 -From: xuxuepeng -Date: Tue, 5 Sep 2023 11:10:11 +0000 -Subject: [PATCH 07/32] !2171 Fix nullptr in src/daemon/entry * !2160 Fix - nullptr in src/daemon/entry - ---- - .../cri/v1/cri_v1_runtime_image_service.cc | 29 ++++- - .../cri/v1/cri_v1_runtime_runtime_service.cc | 116 ++++++++++++++++- - .../cri/v1alpha/cri_runtime_image_service.cc | 29 ++++- - .../v1alpha/cri_runtime_runtime_service.cc | 118 +++++++++++++++++- - .../connect/grpc/grpc_containers_service.cc | 35 ++++++ - .../entry/connect/grpc/grpc_images_service.cc | 40 ++++++ - .../connect/grpc/grpc_server_tls_auth.cc | 4 + - .../connect/grpc/grpc_volumes_service.cc | 15 +++ - .../entry/connect/rest/rest_service_common.c | 12 +- - src/daemon/entry/cri/network_plugin.h | 10 +- - .../v1/v1_cri_container_manager_service.cc | 18 ++- - .../cri/v1/v1_cri_container_manager_service.h | 8 +- - .../cri/v1/v1_cri_image_manager_service.h | 4 +- - .../v1/v1_cri_image_manager_service_impl.cc | 12 +- - .../v1/v1_cri_image_manager_service_impl.h | 8 +- - .../v1/v1_cri_pod_sandbox_manager_service.cc | 6 +- - .../v1/v1_cri_pod_sandbox_manager_service.h | 2 +- - .../entry/cri/v1/v1_cri_runtime_service.h | 6 +- - .../cri/v1/v1_cri_runtime_service_impl.cc | 6 +- - .../cri/v1/v1_cri_runtime_service_impl.h | 6 +- - .../v1alpha/cri_container_manager_service.cc | 18 ++- - .../v1alpha/cri_container_manager_service.h | 8 +- - .../cri/v1alpha/cri_image_manager_service.h | 4 +- - .../v1alpha/cri_image_manager_service_impl.cc | 12 +- - .../v1alpha/cri_image_manager_service_impl.h | 8 +- - .../cri_pod_sandbox_manager_service.cc | 12 +- - .../v1alpha/cri_pod_sandbox_manager_service.h | 6 +- - .../entry/cri/v1alpha/cri_runtime_service.h | 8 +- - .../cri/v1alpha/cri_runtime_service_impl.cc | 8 +- - .../cri/v1alpha/cri_runtime_service_impl.h | 8 +- - 30 files changed, 471 insertions(+), 105 deletions(-) - -diff --git a/src/daemon/entry/connect/grpc/cri/v1/cri_v1_runtime_image_service.cc b/src/daemon/entry/connect/grpc/cri/v1/cri_v1_runtime_image_service.cc -index f3e745ff..ac62b6eb 100644 ---- a/src/daemon/entry/connect/grpc/cri/v1/cri_v1_runtime_image_service.cc -+++ b/src/daemon/entry/connect/grpc/cri/v1/cri_v1_runtime_image_service.cc -@@ -33,6 +33,11 @@ grpc::Status RuntimeV1ImageServiceImpl::PullImage(grpc::ServerContext *context, - { - Errors error; - -+ if (request == nullptr || reply == nullptr) { -+ ERROR("Invalid arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid arguments"); -+ } -+ - EVENT("Event: {Object: CRI, Type: Pulling image %s}", request->image().image().c_str()); - - std::string imageRef = rService->PullImage(request->image(), request->auth(), error); -@@ -54,9 +59,14 @@ grpc::Status RuntimeV1ImageServiceImpl::ListImages(grpc::ServerContext *context, - std::vector> images; - Errors error; - -+ if (request == nullptr || reply == nullptr) { -+ ERROR("Invalid arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid arguments"); -+ } -+ - INFO("Event: {Object: CRI, Type: Listing all images}"); - -- rService->ListImages(request->filter(), &images, error); -+ rService->ListImages(request->filter(), images, error); - if (!error.Empty()) { - ERROR("{Object: CRI, Type: Failed to list all images: %s}", error.GetMessage().c_str()); - return grpc::Status(grpc::StatusCode::UNKNOWN, error.GetMessage()); -@@ -82,6 +92,11 @@ grpc::Status RuntimeV1ImageServiceImpl::ImageStatus(grpc::ServerContext *context - std::unique_ptr image_info = nullptr; - Errors error; - -+ if (request == nullptr || reply == nullptr) { -+ ERROR("Invalid arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid arguments"); -+ } -+ - INFO("Event: {Object: CRI, Type: Statusing image %s}", request->image().image().c_str()); - - image_info = rService->ImageStatus(request->image(), error); -@@ -108,9 +123,14 @@ grpc::Status RuntimeV1ImageServiceImpl::ImageFsInfo(grpc::ServerContext *context - std::vector> usages; - Errors error; - -+ if (request == nullptr || reply == nullptr) { -+ ERROR("Invalid arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid arguments"); -+ } -+ - INFO("Event: {Object: CRI, Type: Statusing image fs info}"); - -- rService->ImageFsInfo(&usages, error); -+ rService->ImageFsInfo(usages, error); - if (!error.Empty()) { - ERROR("{Object: CRI, Type: Failed to status image fs info: %s}", error.GetMessage().c_str()); - return grpc::Status(grpc::StatusCode::UNKNOWN, error.GetMessage()); -@@ -135,6 +155,11 @@ grpc::Status RuntimeV1ImageServiceImpl::RemoveImage(grpc::ServerContext *context - { - Errors error; - -+ if (request == nullptr) { -+ ERROR("Invalid arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid arguments"); -+ } -+ - EVENT("Event: {Object: CRI, Type: Removing image %s}", request->image().image().c_str()); - - rService->RemoveImage(request->image(), error); -diff --git a/src/daemon/entry/connect/grpc/cri/v1/cri_v1_runtime_runtime_service.cc b/src/daemon/entry/connect/grpc/cri/v1/cri_v1_runtime_runtime_service.cc -index d897119d..b8d5746c 100644 ---- a/src/daemon/entry/connect/grpc/cri/v1/cri_v1_runtime_runtime_service.cc -+++ b/src/daemon/entry/connect/grpc/cri/v1/cri_v1_runtime_runtime_service.cc -@@ -51,6 +51,11 @@ grpc::Status RuntimeV1RuntimeServiceImpl::Version(grpc::ServerContext *context, - runtime::v1::VersionResponse *reply) - { - Errors error; -+ if (request == nullptr || reply == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - m_rService->Version(request->version(), reply, error); - if (!error.Empty()) { - return grpc::Status(grpc::StatusCode::UNKNOWN, error.GetMessage()); -@@ -65,6 +70,11 @@ grpc::Status RuntimeV1RuntimeServiceImpl::CreateContainer(grpc::ServerContext *c - { - Errors error; - -+ if (request == nullptr || reply == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - EVENT("Event: {Object: CRI, Type: Creating Container}"); - - std::string responseID = -@@ -86,6 +96,11 @@ grpc::Status RuntimeV1RuntimeServiceImpl::StartContainer(grpc::ServerContext *co - { - Errors error; - -+ if (request == nullptr || reply == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - EVENT("Event: {Object: CRI, Type: Starting Container: %s}", request->container_id().c_str()); - - m_rService->StartContainer(request->container_id(), error); -@@ -105,6 +120,11 @@ grpc::Status RuntimeV1RuntimeServiceImpl::StopContainer(grpc::ServerContext *con - { - Errors error; - -+ if (request == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - EVENT("Event: {Object: CRI, Type: Stopping Container: %s}", request->container_id().c_str()); - - m_rService->StopContainer(request->container_id(), (int64_t)request->timeout(), error); -@@ -124,6 +144,11 @@ grpc::Status RuntimeV1RuntimeServiceImpl::RemoveContainer(grpc::ServerContext *c - { - Errors error; - -+ if (request == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - EVENT("Event: {Object: CRI, Type: Removing Container: %s}", request->container_id().c_str()); - - m_rService->RemoveContainer(request->container_id(), error); -@@ -143,10 +168,15 @@ grpc::Status RuntimeV1RuntimeServiceImpl::ListContainers(grpc::ServerContext *co - { - Errors error; - -+ if (request == nullptr || reply == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - INFO("Event: {Object: CRI, Type: Listing all Container}"); - - std::vector> containers; -- m_rService->ListContainers(request->has_filter() ? &request->filter() : nullptr, &containers, error); -+ m_rService->ListContainers(request->has_filter() ? &request->filter() : nullptr, containers, error); - if (!error.Empty()) { - ERROR("Object: CRI, Type: Failed to list all containers %s", error.GetMessage().c_str()); - return grpc::Status(grpc::StatusCode::UNKNOWN, error.GetMessage()); -@@ -172,6 +202,11 @@ grpc::Status RuntimeV1RuntimeServiceImpl::ContainerStats(grpc::ServerContext *co - { - Errors error; - -+ if (request == nullptr || reply == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - INFO("Event: {Object: CRI, Type: Getting Container Stats: %s}", request->container_id().c_str()); - - std::unique_ptr contStats = -@@ -193,10 +228,15 @@ grpc::Status RuntimeV1RuntimeServiceImpl::ListContainerStats(grpc::ServerContext - { - Errors error; - -+ if (request == nullptr || reply == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - INFO("Event: {Object: CRI, Type: Listing all Container stats}"); - - std::vector> containers; -- m_rService->ListContainerStats(request->has_filter() ? &request->filter() : nullptr, &containers, error); -+ m_rService->ListContainerStats(request->has_filter() ? &request->filter() : nullptr, containers, error); - if (!error.Empty()) { - ERROR("Object: CRI, Type: Failed to list all containers stat %s", error.GetMessage().c_str()); - return grpc::Status(grpc::StatusCode::UNKNOWN, error.GetMessage()); -@@ -222,6 +262,11 @@ grpc::Status RuntimeV1RuntimeServiceImpl::ContainerStatus(grpc::ServerContext *c - { - Errors error; - -+ if (request == nullptr || reply == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - INFO("Event: {Object: CRI, Type: Statusing Container: %s}", request->container_id().c_str()); - - std::unique_ptr contStatus = -@@ -243,6 +288,11 @@ grpc::Status RuntimeV1RuntimeServiceImpl::ExecSync(grpc::ServerContext *context, - { - Errors error; - -+ if (request == nullptr || reply == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - WARN("Event: {Object: CRI, Type: sync execing Container: %s}", request->container_id().c_str()); - - m_rService->ExecSync(request->container_id(), request->cmd(), request->timeout(), reply, error); -@@ -262,6 +312,11 @@ grpc::Status RuntimeV1RuntimeServiceImpl::RunPodSandbox(grpc::ServerContext *con - { - Errors error; - -+ if (request == nullptr || reply == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - EVENT("Event: {Object: CRI, Type: Running Pod}"); - - std::string responseID = m_rService->RunPodSandbox(request->config(), request->runtime_handler(), error); -@@ -282,6 +337,11 @@ grpc::Status RuntimeV1RuntimeServiceImpl::StopPodSandbox(grpc::ServerContext *co - { - Errors error; - -+ if (request == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - EVENT("Event: {Object: CRI, Type: Stopping Pod: %s}", request->pod_sandbox_id().c_str()); - - m_rService->StopPodSandbox(request->pod_sandbox_id(), error); -@@ -302,6 +362,11 @@ grpc::Status RuntimeV1RuntimeServiceImpl::RemovePodSandbox(grpc::ServerContext * - { - Errors error; - -+ if (request == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - EVENT("Event: {Object: CRI, Type: Removing Pod: %s}", request->pod_sandbox_id().c_str()); - - m_rService->RemovePodSandbox(request->pod_sandbox_id(), error); -@@ -322,6 +387,11 @@ grpc::Status RuntimeV1RuntimeServiceImpl::PodSandboxStatus(grpc::ServerContext * - { - Errors error; - -+ if (request == nullptr || reply == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - INFO("Event: {Object: CRI, Type: Status Pod: %s}", request->pod_sandbox_id().c_str()); - - std::unique_ptr podStatus; -@@ -344,6 +414,11 @@ grpc::Status RuntimeV1RuntimeServiceImpl::ListPodSandbox(grpc::ServerContext *co - { - Errors error; - -+ if (request == nullptr || reply == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - INFO("Event: {Object: CRI, Type: Listing all Pods}"); - - std::vector> pods; -@@ -373,6 +448,11 @@ grpc::Status RuntimeV1RuntimeServiceImpl::PodSandboxStats(grpc::ServerContext *c - { - Errors error; - -+ if (request == nullptr || reply == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - INFO("Event: {Object: CRI, Type: Stats Pod: %s}", request->pod_sandbox_id().c_str()); - - std::unique_ptr podStats; -@@ -396,10 +476,15 @@ RuntimeV1RuntimeServiceImpl::ListPodSandboxStats(grpc::ServerContext *context, - { - Errors error; - -+ if (request == nullptr || reply == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - INFO("Event: {Object: CRI, Type: Listing Pods Stats}"); - - std::vector> podsStats; -- m_rService->ListPodSandboxStats(request->has_filter() ? &request->filter() : nullptr, &podsStats, error); -+ m_rService->ListPodSandboxStats(request->has_filter() ? &request->filter() : nullptr, podsStats, error); - if (!error.Empty()) { - ERROR("Object: CRI, Type: Failed to list pods stats: %s", error.GetCMessage()); - return grpc::Status(grpc::StatusCode::UNKNOWN, error.GetMessage()); -@@ -425,6 +510,11 @@ RuntimeV1RuntimeServiceImpl::UpdateContainerResources(grpc::ServerContext *conte - { - Errors error; - -+ if (request == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - WARN("Event: {Object: CRI, Type: Updating container resources: %s}", request->container_id().c_str()); - - m_rService->UpdateContainerResources(request->container_id(), request->linux(), error); -@@ -445,6 +535,11 @@ grpc::Status RuntimeV1RuntimeServiceImpl::Exec(grpc::ServerContext *context, - { - Errors error; - -+ if (request == nullptr || response == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - EVENT("Event: {Object: CRI, Type: execing Container: %s}", request->container_id().c_str()); - - m_rService->Exec(*request, response, error); -@@ -465,6 +560,11 @@ grpc::Status RuntimeV1RuntimeServiceImpl::Attach(grpc::ServerContext *context, - { - Errors error; - -+ if (request == nullptr || response == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - EVENT("Event: {Object: CRI, Type: attaching Container: %s}", request->container_id().c_str()); - - m_rService->Attach(*request, response, error); -@@ -486,6 +586,11 @@ RuntimeV1RuntimeServiceImpl::UpdateRuntimeConfig(grpc::ServerContext *context, - { - Errors error; - -+ if (request == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - EVENT("Event: {Object: CRI, Type: Updating Runtime Config}"); - - m_rService->UpdateRuntimeConfig(request->runtime_config(), error); -@@ -505,6 +610,11 @@ grpc::Status RuntimeV1RuntimeServiceImpl::Status(grpc::ServerContext *context, - { - Errors error; - -+ if (request == nullptr || reply == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - INFO("Event: {Object: CRI, Type: Statusing daemon}"); - - std::unique_ptr status = m_rService->Status(error); -diff --git a/src/daemon/entry/connect/grpc/cri/v1alpha/cri_runtime_image_service.cc b/src/daemon/entry/connect/grpc/cri/v1alpha/cri_runtime_image_service.cc -index b724e729..1353933b 100644 ---- a/src/daemon/entry/connect/grpc/cri/v1alpha/cri_runtime_image_service.cc -+++ b/src/daemon/entry/connect/grpc/cri/v1alpha/cri_runtime_image_service.cc -@@ -33,6 +33,11 @@ grpc::Status RuntimeImageServiceImpl::PullImage(grpc::ServerContext *context, - { - Errors error; - -+ if (request == nullptr || reply == nullptr) { -+ ERROR("Invalid arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid arguments"); -+ } -+ - EVENT("Event: {Object: CRI, Type: Pulling image %s}", request->image().image().c_str()); - - std::string imageRef = rService->PullImage(request->image(), request->auth(), error); -@@ -54,9 +59,14 @@ grpc::Status RuntimeImageServiceImpl::ListImages(grpc::ServerContext *context, - std::vector> images; - Errors error; - -+ if (request == nullptr || reply == nullptr) { -+ ERROR("Invalid arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid arguments"); -+ } -+ - INFO("Event: {Object: CRI, Type: Listing all images}"); - -- rService->ListImages(request->filter(), &images, error); -+ rService->ListImages(request->filter(), images, error); - if (!error.Empty()) { - ERROR("{Object: CRI, Type: Failed to list all images: %s}", error.GetMessage().c_str()); - return grpc::Status(grpc::StatusCode::UNKNOWN, error.GetMessage()); -@@ -82,6 +92,11 @@ grpc::Status RuntimeImageServiceImpl::ImageStatus(grpc::ServerContext *context, - std::unique_ptr image_info = nullptr; - Errors error; - -+ if (request == nullptr || reply == nullptr) { -+ ERROR("Invalid arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid arguments"); -+ } -+ - INFO("Event: {Object: CRI, Type: Statusing image %s}", request->image().image().c_str()); - - image_info = rService->ImageStatus(request->image(), error); -@@ -108,9 +123,14 @@ grpc::Status RuntimeImageServiceImpl::ImageFsInfo(grpc::ServerContext *context, - std::vector> usages; - Errors error; - -+ if (request == nullptr || reply == nullptr) { -+ ERROR("Invalid arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid arguments"); -+ } -+ - INFO("Event: {Object: CRI, Type: Statusing image fs info}"); - -- rService->ImageFsInfo(&usages, error); -+ rService->ImageFsInfo(usages, error); - if (!error.Empty()) { - ERROR("{Object: CRI, Type: Failed to status image fs info: %s}", error.GetMessage().c_str()); - return grpc::Status(grpc::StatusCode::UNKNOWN, error.GetMessage()); -@@ -135,6 +155,11 @@ grpc::Status RuntimeImageServiceImpl::RemoveImage(grpc::ServerContext *context, - { - Errors error; - -+ if (request == nullptr) { -+ ERROR("Invalid arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid arguments"); -+ } -+ - EVENT("Event: {Object: CRI, Type: Removing image %s}", request->image().image().c_str()); - - rService->RemoveImage(request->image(), error); -diff --git a/src/daemon/entry/connect/grpc/cri/v1alpha/cri_runtime_runtime_service.cc b/src/daemon/entry/connect/grpc/cri/v1alpha/cri_runtime_runtime_service.cc -index 28775554..ec3f01cd 100644 ---- a/src/daemon/entry/connect/grpc/cri/v1alpha/cri_runtime_runtime_service.cc -+++ b/src/daemon/entry/connect/grpc/cri/v1alpha/cri_runtime_runtime_service.cc -@@ -49,6 +49,11 @@ grpc::Status RuntimeRuntimeServiceImpl::Version(grpc::ServerContext *context, - runtime::v1alpha2::VersionResponse *reply) - { - Errors error; -+ if (request == nullptr || reply == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - m_rService->Version(request->version(), reply, error); - if (!error.Empty()) { - return grpc::Status(grpc::StatusCode::UNKNOWN, error.GetMessage()); -@@ -63,6 +68,11 @@ grpc::Status RuntimeRuntimeServiceImpl::CreateContainer(grpc::ServerContext *con - { - Errors error; - -+ if (request == nullptr || reply == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - EVENT("Event: {Object: CRI, Type: Creating Container}"); - - std::string responseID = -@@ -84,6 +94,11 @@ grpc::Status RuntimeRuntimeServiceImpl::StartContainer(grpc::ServerContext *cont - { - Errors error; - -+ if (request == nullptr || reply == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - EVENT("Event: {Object: CRI, Type: Starting Container: %s}", request->container_id().c_str()); - - m_rService->StartContainer(request->container_id(), error); -@@ -103,6 +118,11 @@ grpc::Status RuntimeRuntimeServiceImpl::StopContainer(grpc::ServerContext *conte - { - Errors error; - -+ if (request == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - EVENT("Event: {Object: CRI, Type: Stopping Container: %s}", request->container_id().c_str()); - - m_rService->StopContainer(request->container_id(), (int64_t)request->timeout(), error); -@@ -122,6 +142,11 @@ grpc::Status RuntimeRuntimeServiceImpl::RemoveContainer(grpc::ServerContext *con - { - Errors error; - -+ if (request == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - EVENT("Event: {Object: CRI, Type: Removing Container: %s}", request->container_id().c_str()); - - m_rService->RemoveContainer(request->container_id(), error); -@@ -141,10 +166,15 @@ grpc::Status RuntimeRuntimeServiceImpl::ListContainers(grpc::ServerContext *cont - { - Errors error; - -+ if (request == nullptr || reply == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - INFO("Event: {Object: CRI, Type: Listing all Container}"); - - std::vector> containers; -- m_rService->ListContainers(request->has_filter() ? &request->filter() : nullptr, &containers, error); -+ m_rService->ListContainers(request->has_filter() ? &request->filter() : nullptr, containers, error); - if (!error.Empty()) { - ERROR("Object: CRI, Type: Failed to list all containers %s", error.GetMessage().c_str()); - return grpc::Status(grpc::StatusCode::UNKNOWN, error.GetMessage()); -@@ -170,6 +200,11 @@ grpc::Status RuntimeRuntimeServiceImpl::ContainerStats(grpc::ServerContext *cont - { - Errors error; - -+ if (request == nullptr || reply == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - INFO("Event: {Object: CRI, Type: Getting Container Stats: %s}", request->container_id().c_str()); - - std::unique_ptr contStats = -@@ -191,10 +226,15 @@ grpc::Status RuntimeRuntimeServiceImpl::ListContainerStats(grpc::ServerContext * - { - Errors error; - -+ if (request == nullptr || reply == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - INFO("Event: {Object: CRI, Type: Listing all Container stats}"); - - std::vector> containers; -- m_rService->ListContainerStats(request->has_filter() ? &request->filter() : nullptr, &containers, error); -+ m_rService->ListContainerStats(request->has_filter() ? &request->filter() : nullptr, containers, error); - if (!error.Empty()) { - ERROR("Object: CRI, Type: Failed to list all containers stat %s", error.GetMessage().c_str()); - return grpc::Status(grpc::StatusCode::UNKNOWN, error.GetMessage()); -@@ -220,6 +260,11 @@ grpc::Status RuntimeRuntimeServiceImpl::ContainerStatus(grpc::ServerContext *con - { - Errors error; - -+ if (request == nullptr || reply == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - INFO("Event: {Object: CRI, Type: Statusing Container: %s}", request->container_id().c_str()); - - std::unique_ptr contStatus = -@@ -241,6 +286,11 @@ grpc::Status RuntimeRuntimeServiceImpl::ExecSync(grpc::ServerContext *context, - { - Errors error; - -+ if (request == nullptr || reply == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - WARN("Event: {Object: CRI, Type: sync execing Container: %s}", request->container_id().c_str()); - - m_rService->ExecSync(request->container_id(), request->cmd(), request->timeout(), reply, error); -@@ -260,6 +310,11 @@ grpc::Status RuntimeRuntimeServiceImpl::RunPodSandbox(grpc::ServerContext *conte - { - Errors error; - -+ if (request == nullptr || reply == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - EVENT("Event: {Object: CRI, Type: Running Pod}"); - - std::string responseID = m_rService->RunPodSandbox(request->config(), request->runtime_handler(), error); -@@ -280,6 +335,11 @@ grpc::Status RuntimeRuntimeServiceImpl::StopPodSandbox(grpc::ServerContext *cont - { - Errors error; - -+ if (request == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - EVENT("Event: {Object: CRI, Type: Stopping Pod: %s}", request->pod_sandbox_id().c_str()); - - m_rService->StopPodSandbox(request->pod_sandbox_id(), error); -@@ -300,6 +360,11 @@ grpc::Status RuntimeRuntimeServiceImpl::RemovePodSandbox(grpc::ServerContext *co - { - Errors error; - -+ if (request == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - EVENT("Event: {Object: CRI, Type: Removing Pod: %s}", request->pod_sandbox_id().c_str()); - - m_rService->RemovePodSandbox(request->pod_sandbox_id(), error); -@@ -320,6 +385,11 @@ grpc::Status RuntimeRuntimeServiceImpl::PodSandboxStatus(grpc::ServerContext *co - { - Errors error; - -+ if (request == nullptr || reply == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - INFO("Event: {Object: CRI, Type: Status Pod: %s}", request->pod_sandbox_id().c_str()); - - std::unique_ptr podStatus; -@@ -342,10 +412,15 @@ grpc::Status RuntimeRuntimeServiceImpl::ListPodSandbox(grpc::ServerContext *cont - { - Errors error; - -+ if (request == nullptr || reply == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - INFO("Event: {Object: CRI, Type: Listing all Pods}"); - - std::vector> pods; -- m_rService->ListPodSandbox(request->has_filter() ? &request->filter() : nullptr, &pods, error); -+ m_rService->ListPodSandbox(request->has_filter() ? &request->filter() : nullptr, pods, error); - if (!error.Empty()) { - ERROR("Object: CRI, Type: Failed to list all pods: %s", error.GetMessage().c_str()); - return grpc::Status(grpc::StatusCode::UNKNOWN, error.GetMessage()); -@@ -370,6 +445,11 @@ grpc::Status RuntimeRuntimeServiceImpl::PodSandboxStats(grpc::ServerContext *con - { - Errors error; - -+ if (request == nullptr || reply == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - INFO("Event: {Object: CRI, Type: Stats Pod: %s}", request->pod_sandbox_id().c_str()); - - std::unique_ptr podStats; -@@ -393,10 +473,15 @@ RuntimeRuntimeServiceImpl::ListPodSandboxStats(grpc::ServerContext *context, - { - Errors error; - -+ if (request == nullptr || reply == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - INFO("Event: {Object: CRI, Type: Listing Pods Stats}"); - - std::vector> podsStats; -- m_rService->ListPodSandboxStats(request->has_filter() ? &request->filter() : nullptr, &podsStats, error); -+ m_rService->ListPodSandboxStats(request->has_filter() ? &request->filter() : nullptr, podsStats, error); - if (!error.Empty()) { - ERROR("Object: CRI, Type: Failed to list pods stats: %s", error.GetCMessage()); - return grpc::Status(grpc::StatusCode::UNKNOWN, error.GetMessage()); -@@ -422,6 +507,11 @@ RuntimeRuntimeServiceImpl::UpdateContainerResources(grpc::ServerContext *context - { - Errors error; - -+ if (request == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - WARN("Event: {Object: CRI, Type: Updating container resources: %s}", request->container_id().c_str()); - - m_rService->UpdateContainerResources(request->container_id(), request->linux(), error); -@@ -442,6 +532,11 @@ grpc::Status RuntimeRuntimeServiceImpl::Exec(grpc::ServerContext *context, - { - Errors error; - -+ if (request == nullptr || response == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - EVENT("Event: {Object: CRI, Type: execing Container: %s}", request->container_id().c_str()); - - m_rService->Exec(*request, response, error); -@@ -462,6 +557,11 @@ grpc::Status RuntimeRuntimeServiceImpl::Attach(grpc::ServerContext *context, - { - Errors error; - -+ if (request == nullptr || response == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - EVENT("Event: {Object: CRI, Type: attaching Container: %s}", request->container_id().c_str()); - - m_rService->Attach(*request, response, error); -@@ -483,6 +583,11 @@ RuntimeRuntimeServiceImpl::UpdateRuntimeConfig(grpc::ServerContext *context, - { - Errors error; - -+ if (request == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - EVENT("Event: {Object: CRI, Type: Updating Runtime Config}"); - - m_rService->UpdateRuntimeConfig(request->runtime_config(), error); -@@ -502,6 +607,11 @@ grpc::Status RuntimeRuntimeServiceImpl::Status(grpc::ServerContext *context, - { - Errors error; - -+ if (request == nullptr || reply == nullptr) { -+ ERROR("Invalid input arguments"); -+ return grpc::Status(grpc::StatusCode::INVALID_ARGUMENT, "Invalid input arguments"); -+ } -+ - INFO("Event: {Object: CRI, Type: Statusing daemon}"); - - std::unique_ptr status = m_rService->Status(error); -diff --git a/src/daemon/entry/connect/grpc/grpc_containers_service.cc b/src/daemon/entry/connect/grpc/grpc_containers_service.cc -index 76f597b5..ab3f6ab7 100644 ---- a/src/daemon/entry/connect/grpc/grpc_containers_service.cc -+++ b/src/daemon/entry/connect/grpc/grpc_containers_service.cc -@@ -430,6 +430,11 @@ Status ContainerServiceImpl::RemoteExec(ServerContext *context, - container_exec_request *container_req = nullptr; - container_exec_response *container_res = nullptr; - -+ if (context == nullptr || stream == nullptr) { -+ ERROR("Invalid arguments"); -+ return Status(StatusCode::INVALID_ARGUMENT, "Invalid arguments"); -+ } -+ - prctl(PR_SET_NAME, "ContRExec"); - - auto status = GrpcServerTlsAuth::auth(context, "container_exec_create"); -@@ -599,6 +604,11 @@ Status ContainerServiceImpl::Attach(ServerContext *context, ServerReaderWriter &init_metadata = context->client_metadata(); - auto tls_mode_kv = init_metadata.find("tls_mode"); - if (tls_mode_kv == init_metadata.end()) { -diff --git a/src/daemon/entry/connect/grpc/grpc_volumes_service.cc b/src/daemon/entry/connect/grpc/grpc_volumes_service.cc -index 8b090486..004b57b2 100644 ---- a/src/daemon/entry/connect/grpc/grpc_volumes_service.cc -+++ b/src/daemon/entry/connect/grpc/grpc_volumes_service.cc -@@ -118,6 +118,11 @@ int VolumeServiceImpl::volume_prune_response_to_grpc(volume_prune_volume_respons - - Status VolumeServiceImpl::List(ServerContext *context, const ListVolumeRequest *request, ListVolumeResponse *reply) - { -+ if (context == nullptr || request == nullptr || reply == nullptr) { -+ ERROR("Invalid arguments"); -+ return Status(StatusCode::INVALID_ARGUMENT, "Invalid arguments"); -+ } -+ - auto status = GrpcServerTlsAuth::auth(context, "volume_list"); - if (!status.ok()) { - return status; -@@ -152,6 +157,11 @@ Status VolumeServiceImpl::List(ServerContext *context, const ListVolumeRequest * - Status VolumeServiceImpl::Remove(ServerContext *context, const RemoveVolumeRequest *request, - RemoveVolumeResponse *reply) - { -+ if (context == nullptr || request == nullptr || reply == nullptr) { -+ ERROR("Invalid arguments"); -+ return Status(StatusCode::INVALID_ARGUMENT, "Invalid arguments"); -+ } -+ - auto status = GrpcServerTlsAuth::auth(context, "volume_remove"); - if (!status.ok()) { - return status; -@@ -185,6 +195,11 @@ Status VolumeServiceImpl::Remove(ServerContext *context, const RemoveVolumeReque - - Status VolumeServiceImpl::Prune(ServerContext *context, const PruneVolumeRequest *request, PruneVolumeResponse *reply) - { -+ if (context == nullptr || request == nullptr || reply == nullptr) { -+ ERROR("Invalid arguments"); -+ return Status(StatusCode::INVALID_ARGUMENT, "Invalid arguments"); -+ } -+ - auto status = GrpcServerTlsAuth::auth(context, "volume_prune"); - if (!status.ok()) { - return status; -diff --git a/src/daemon/entry/connect/rest/rest_service_common.c b/src/daemon/entry/connect/rest/rest_service_common.c -index 54ac5c95..c4161d02 100644 ---- a/src/daemon/entry/connect/rest/rest_service_common.c -+++ b/src/daemon/entry/connect/rest/rest_service_common.c -@@ -26,7 +26,7 @@ - /* get body */ - int get_body(const evhtp_request_t *req, size_t *size_out, char **record_out) - { -- evbuf_t *buf = req->buffer_in; -+ evbuf_t *buf = NULL; - size_t read_count = 0; - size_t total = 0; - size_t content_len = 0; -@@ -34,6 +34,12 @@ int get_body(const evhtp_request_t *req, size_t *size_out, char **record_out) - char *body_p = NULL; - int ret = 0; - -+ if (req == NULL || size_out == NULL || record_out == NULL) { -+ ERROR("Invalid input arguments"); -+ return -1; -+ } -+ -+ buf = req->buffer_in; - content_len = (size_t)evbuffer_get_length(buf); - - if (content_len >= MAX_BODY_SIZE) { -@@ -81,6 +87,10 @@ empty: - /* evhtp send repsponse */ - void evhtp_send_response(evhtp_request_t *req, const char *responsedata, int rescode) - { -+ if (req == NULL || responsedata == NULL) { -+ ERROR("Invalid input arguments"); -+ return; -+ } - evhtp_headers_add_header(req->headers_out, evhtp_header_new("Content-Type", "application/json", 0, 0)); - evbuffer_add(req->buffer_out, responsedata, strlen(responsedata)); - evhtp_send_reply(req, rescode); -diff --git a/src/daemon/entry/cri/network_plugin.h b/src/daemon/entry/cri/network_plugin.h -index 09b0987a..3cb003ba 100644 ---- a/src/daemon/entry/cri/network_plugin.h -+++ b/src/daemon/entry/cri/network_plugin.h -@@ -30,11 +30,11 @@ const std::string POD_DISABLE_DEFAULT_NET_ANNOTATION_KEY = "network.alpha.kubern - class NetworkPluginConf { - public: - /* settings for net plugin */ -- NetworkPluginConf(const std::string &dockershimRootDirectory = "/var/lib/isulad/shim", -- const std::string &pluginConfDir = "/etc/cni/net.d/", -- const std::string &pluginBinDir = "/opt/cni/bin", const std::string &pluginName = "", -- const std::string &hairpinMode = "hairpin-veth", const std::string &nonMasqueradeCIDR = "", -- int32_t mtu = 1460) -+ explicit NetworkPluginConf(const std::string &dockershimRootDirectory = "/var/lib/isulad/shim", -+ const std::string &pluginConfDir = "/etc/cni/net.d/", -+ const std::string &pluginBinDir = "/opt/cni/bin", const std::string &pluginName = "", -+ const std::string &hairpinMode = "hairpin-veth", const std::string &nonMasqueradeCIDR = "", -+ int32_t mtu = 1460) - : m_dockershimRootDirectory(dockershimRootDirectory), - m_pluginConfDir(pluginConfDir), - m_pluginBinDir(pluginBinDir), -diff --git a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc -index ba95f684..ecb7ffbd 100644 ---- a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc -+++ b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc -@@ -653,7 +653,7 @@ void ContainerManagerService::ListContainersFromGRPC(const runtime::v1::Containe - } - - void ContainerManagerService::ListContainersToGRPC(container_list_response *response, -- std::vector> *containers, -+ std::vector> &containers, - Errors &error) - { - for (size_t i {}; i < response->containers_len; i++) { -@@ -700,12 +700,12 @@ void ContainerManagerService::ListContainersToGRPC(container_list_response *resp - CRIHelpersV1::ContainerStatusToRuntime(Container_Status(response->containers[i]->status)); - container->set_state(state); - -- containers->push_back(move(container)); -+ containers.push_back(move(container)); - } - } - - void ContainerManagerService::ListContainers(const runtime::v1::ContainerFilter *filter, -- std::vector> *containers, -+ std::vector> &containers, - Errors &error) - { - if (m_cb == nullptr || m_cb->container.list == nullptr) { -@@ -856,7 +856,7 @@ void ContainerManagerService::PackContainerStatsFilesystemUsage( - - void ContainerManagerService::ContainerStatsToGRPC( - container_stats_response *response, -- std::vector> *containerstats, Errors &error) -+ std::vector> &containerstats, Errors &error) - { - if (response == nullptr) { - return; -@@ -906,22 +906,18 @@ void ContainerManagerService::ContainerStatsToGRPC( - if (response->container_stats[i]->major_page_faults != 0u) { - container->mutable_memory()->mutable_major_page_faults()->set_value(response->container_stats[i]->major_page_faults); - } -- containerstats->push_back(std::move(container)); -+ containerstats.push_back(std::move(container)); - } - } - - void ContainerManagerService::ListContainerStats( - const runtime::v1::ContainerStatsFilter *filter, -- std::vector> *containerstats, Errors &error) -+ std::vector> &containerstats, Errors &error) - { - if (m_cb == nullptr || m_cb->container.stats == nullptr) { - error.SetError("Unimplemented callback"); - return; - } -- if (containerstats == nullptr) { -- error.SetError("Invalid arguments"); -- return; -- } - - container_stats_response *response { nullptr }; - container_stats_request *request = (container_stats_request *)util_common_calloc_s(sizeof(container_stats_request)); -@@ -998,7 +994,7 @@ auto ContainerManagerService::ContainerStats(const std::string &containerID, Err - goto cleanup; - } - -- ContainerStatsToGRPC(response, &contStatsVec, error); -+ ContainerStatsToGRPC(response, contStatsVec, error); - if (error.NotEmpty()) { - goto cleanup; - } -diff --git a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.h b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.h -index 83f4acbe..4f349829 100644 ---- a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.h -+++ b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.h -@@ -50,10 +50,10 @@ public: - void RemoveContainer(const std::string &containerID, Errors &error); - - void ListContainers(const runtime::v1::ContainerFilter *filter, -- std::vector> *containers, Errors &error); -+ std::vector> &containers, Errors &error); - - void ListContainerStats(const runtime::v1::ContainerStatsFilter *filter, -- std::vector> *containerstats, -+ std::vector> &containerstats, - Errors &error); - - auto ContainerStats(const std::string &containerID, Errors &error) -@@ -99,11 +99,11 @@ private: - void ListContainersFromGRPC(const runtime::v1::ContainerFilter *filter, container_list_request **request, - Errors &error); - void ListContainersToGRPC(container_list_response *response, -- std::vector> *pods, Errors &error); -+ std::vector> &pods, Errors &error); - auto PackContainerStatsFilter(const runtime::v1::ContainerStatsFilter *filter, - container_stats_request *request, Errors &error) -> int; - void ContainerStatsToGRPC(container_stats_response *response, -- std::vector> *containerstats, -+ std::vector> &containerstats, - Errors &error); - void PackContainerStatsAttributes(const char *id, std::unique_ptr &container, - Errors &error); -diff --git a/src/daemon/entry/cri/v1/v1_cri_image_manager_service.h b/src/daemon/entry/cri/v1/v1_cri_image_manager_service.h -index 66af0abe..3a5fdf8c 100644 ---- a/src/daemon/entry/cri/v1/v1_cri_image_manager_service.h -+++ b/src/daemon/entry/cri/v1/v1_cri_image_manager_service.h -@@ -28,7 +28,7 @@ public: - virtual ~ImageManagerService() = default; - - virtual void ListImages(const runtime::v1::ImageFilter &filter, -- std::vector> *images, Errors &error) = 0; -+ std::vector> &images, Errors &error) = 0; - - virtual auto ImageStatus(const runtime::v1::ImageSpec &image, - Errors &error) -> std::unique_ptr = 0; -@@ -38,7 +38,7 @@ public: - - virtual void RemoveImage(const runtime::v1::ImageSpec &image, Errors &error) = 0; - -- virtual void ImageFsInfo(std::vector> *usages, -+ virtual void ImageFsInfo(std::vector> &usages, - Errors &error) = 0; - }; - } // namespace CRIV1 -diff --git a/src/daemon/entry/cri/v1/v1_cri_image_manager_service_impl.cc b/src/daemon/entry/cri/v1/v1_cri_image_manager_service_impl.cc -index 763b6cd5..b74834fb 100644 ---- a/src/daemon/entry/cri/v1/v1_cri_image_manager_service_impl.cc -+++ b/src/daemon/entry/cri/v1/v1_cri_image_manager_service_impl.cc -@@ -133,7 +133,7 @@ auto ImageManagerServiceImpl::list_request_from_grpc(const runtime::v1::ImageFil - } - - void ImageManagerServiceImpl::list_images_to_grpc(im_list_response *response, -- std::vector> *images, -+ std::vector> &images, - Errors &error) - { - imagetool_images_list *list_images = response->images; -@@ -150,12 +150,12 @@ void ImageManagerServiceImpl::list_images_to_grpc(im_list_response *response, - - imagetool_image_summary *element = list_images->images[i]; - conv_image_to_grpc(element, image); -- images->push_back(move(image)); -+ images.push_back(move(image)); - } - } - - void ImageManagerServiceImpl::ListImages(const runtime::v1::ImageFilter &filter, -- std::vector> *images, Errors &error) -+ std::vector> &images, Errors &error) - { - im_list_request *request { nullptr }; - im_list_response *response { nullptr }; -@@ -331,7 +331,7 @@ cleanup: - } - - void ImageManagerServiceImpl::fs_info_to_grpc(im_fs_info_response *response, -- std::vector> *fs_infos, -+ std::vector> &fs_infos, - Errors & /*error*/) - { - imagetool_fs_info *got_fs_info = response->fs_info; -@@ -381,11 +381,11 @@ void ImageManagerServiceImpl::fs_info_to_grpc(im_fs_info_response *response, - fs_info->set_allocated_inodes_used(inodes_used); - } - -- fs_infos->push_back(std::move(fs_info)); -+ fs_infos.push_back(std::move(fs_info)); - } - } - --void ImageManagerServiceImpl::ImageFsInfo(std::vector> *usages, -+void ImageManagerServiceImpl::ImageFsInfo(std::vector> &usages, - Errors &error) - { - im_fs_info_response *response { nullptr }; -diff --git a/src/daemon/entry/cri/v1/v1_cri_image_manager_service_impl.h b/src/daemon/entry/cri/v1/v1_cri_image_manager_service_impl.h -index 30e7c588..3f13a157 100644 ---- a/src/daemon/entry/cri/v1/v1_cri_image_manager_service_impl.h -+++ b/src/daemon/entry/cri/v1/v1_cri_image_manager_service_impl.h -@@ -30,7 +30,7 @@ public: - virtual ~ImageManagerServiceImpl() = default; - - void ListImages(const runtime::v1::ImageFilter &filter, -- std::vector> *images, Errors &error) override; -+ std::vector> &images, Errors &error) override; - - std::unique_ptr ImageStatus(const runtime::v1::ImageSpec &image, - Errors &error) override; -@@ -40,7 +40,7 @@ public: - - void RemoveImage(const runtime::v1::ImageSpec &image, Errors &error) override; - -- void ImageFsInfo(std::vector> *usages, Errors &error) override; -+ void ImageFsInfo(std::vector> &usages, Errors &error) override; - - private: - int pull_request_from_grpc(const runtime::v1::ImageSpec *image, const runtime::v1::AuthConfig *auth, -@@ -48,7 +48,7 @@ private: - - int list_request_from_grpc(const runtime::v1::ImageFilter *filter, im_list_request **request, Errors &error); - -- void list_images_to_grpc(im_list_response *response, std::vector> *images, -+ void list_images_to_grpc(im_list_response *response, std::vector> &images, - Errors &error); - - int status_request_from_grpc(const runtime::v1::ImageSpec *image, im_summary_request **request, -@@ -57,7 +57,7 @@ private: - std::unique_ptr status_image_to_grpc(im_summary_response *response, Errors &error); - - void fs_info_to_grpc(im_fs_info_response *response, -- std::vector> *fs_infos, Errors &error); -+ std::vector> &fs_infos, Errors &error); - - int remove_request_from_grpc(const runtime::v1::ImageSpec *image, im_rmi_request **request, Errors &error); - }; -diff --git a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc -index 687f4e6d..d57338c8 100644 ---- a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc -+++ b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc -@@ -915,7 +915,7 @@ void PodSandboxManagerService::PackagePodSandboxContainerStats( - runtime::v1::ContainerStatsFilter filter; - - filter.set_pod_sandbox_id(id); -- containerManager->ListContainerStats(&filter, &containerStats, error); -+ containerManager->ListContainerStats(&filter, containerStats, error); - if (error.NotEmpty()) { - error.Errorf("Failed to list container stats: %s", error.GetCMessage()); - return; -@@ -1140,7 +1140,7 @@ cleanup: - - void PodSandboxManagerService::ListPodSandboxStats(const runtime::v1::PodSandboxStatsFilter *filter, - const std::unique_ptr &containerManager, -- std::vector> *podsStats, -+ std::vector> &podsStats, - Errors &error) - { - std::vector podSandboxIDs; -@@ -1165,7 +1165,7 @@ void PodSandboxManagerService::ListPodSandboxStats(const runtime::v1::PodSandbox - continue; - } - -- podsStats->push_back(move(podStats)); -+ podsStats.push_back(move(podStats)); - } - } - -diff --git a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.h b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.h -index ddab6f4e..99347fd8 100644 ---- a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.h -+++ b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.h -@@ -66,7 +66,7 @@ public: - - void ListPodSandboxStats(const runtime::v1::PodSandboxStatsFilter *filter, - const std::unique_ptr &containerManager, -- std::vector> *podsStats, -+ std::vector> &podsStats, - Errors &error); - - void PortForward(const runtime::v1::PortForwardRequest &req, runtime::v1::PortForwardResponse *resp, -diff --git a/src/daemon/entry/cri/v1/v1_cri_runtime_service.h b/src/daemon/entry/cri/v1/v1_cri_runtime_service.h -index cd7c52db..87394173 100644 ---- a/src/daemon/entry/cri/v1/v1_cri_runtime_service.h -+++ b/src/daemon/entry/cri/v1/v1_cri_runtime_service.h -@@ -43,10 +43,10 @@ public: - virtual void RemoveContainer(const std::string &containerID, Errors &error) = 0; - - virtual void ListContainers(const runtime::v1::ContainerFilter *filter, -- std::vector> *containers, Errors &error) = 0; -+ std::vector> &containers, Errors &error) = 0; - - virtual void ListContainerStats(const runtime::v1::ContainerStatsFilter *filter, -- std::vector> *containerstats, -+ std::vector> &containerstats, - Errors &error) = 0; - - virtual auto ContainerStats(const std::string &containerID, -@@ -80,7 +80,7 @@ public: - Errors &error) -> std::unique_ptr = 0; - - virtual void ListPodSandboxStats(const runtime::v1::PodSandboxStatsFilter *filter, -- std::vector> *podsStats, -+ std::vector> &podsStats, - Errors &error) = 0; - - virtual void UpdateContainerResources(const std::string &containerID, -diff --git a/src/daemon/entry/cri/v1/v1_cri_runtime_service_impl.cc b/src/daemon/entry/cri/v1/v1_cri_runtime_service_impl.cc -index b6652f7d..67cda5ed 100644 ---- a/src/daemon/entry/cri/v1/v1_cri_runtime_service_impl.cc -+++ b/src/daemon/entry/cri/v1/v1_cri_runtime_service_impl.cc -@@ -57,7 +57,7 @@ void CRIRuntimeServiceImpl::RemoveContainer(const std::string &containerID, Erro - } - - void CRIRuntimeServiceImpl::ListContainers(const runtime::v1::ContainerFilter *filter, -- std::vector> *containers, -+ std::vector> &containers, - Errors &error) - { - m_containerManager->ListContainers(filter, containers, error); -@@ -65,7 +65,7 @@ void CRIRuntimeServiceImpl::ListContainers(const runtime::v1::ContainerFilter *f - - void CRIRuntimeServiceImpl::ListContainerStats( - const runtime::v1::ContainerStatsFilter *filter, -- std::vector> *containerstats, Errors &error) -+ std::vector> &containerstats, Errors &error) - { - m_containerManager->ListContainerStats(filter, containerstats, error); - } -@@ -145,7 +145,7 @@ auto CRIRuntimeServiceImpl::PodSandboxStats(const std::string &podSandboxID, Err - - void - CRIRuntimeServiceImpl::ListPodSandboxStats(const runtime::v1::PodSandboxStatsFilter *filter, -- std::vector> *podsStats, -+ std::vector> &podsStats, - Errors &error) - { - m_podSandboxManager->ListPodSandboxStats(filter, m_containerManager, podsStats, error); -diff --git a/src/daemon/entry/cri/v1/v1_cri_runtime_service_impl.h b/src/daemon/entry/cri/v1/v1_cri_runtime_service_impl.h -index 49272281..23866648 100644 ---- a/src/daemon/entry/cri/v1/v1_cri_runtime_service_impl.h -+++ b/src/daemon/entry/cri/v1/v1_cri_runtime_service_impl.h -@@ -45,10 +45,10 @@ public: - void RemoveContainer(const std::string &containerID, Errors &error) override; - - void ListContainers(const runtime::v1::ContainerFilter *filter, -- std::vector> *containers, Errors &error) override; -+ std::vector> &containers, Errors &error) override; - - void ListContainerStats(const runtime::v1::ContainerStatsFilter *filter, -- std::vector> *containerstats, -+ std::vector> &containerstats, - Errors &error) override; - - auto ContainerStats(const std::string &containerID, Errors &error) -@@ -82,7 +82,7 @@ public: - Errors &error) -> std::unique_ptr override; - - void ListPodSandboxStats(const runtime::v1::PodSandboxStatsFilter *filter, -- std::vector> *podsStats, -+ std::vector> &podsStats, - Errors &error) override; - - void UpdateContainerResources(const std::string &containerID, -diff --git a/src/daemon/entry/cri/v1alpha/cri_container_manager_service.cc b/src/daemon/entry/cri/v1alpha/cri_container_manager_service.cc -index 569f339b..b4faab95 100644 ---- a/src/daemon/entry/cri/v1alpha/cri_container_manager_service.cc -+++ b/src/daemon/entry/cri/v1alpha/cri_container_manager_service.cc -@@ -671,7 +671,7 @@ void ContainerManagerService::ListContainersFromGRPC(const runtime::v1alpha2::Co - } - - void ContainerManagerService::ListContainersToGRPC(container_list_response *response, -- std::vector> *pods, -+ std::vector> &pods, - Errors &error) - { - for (size_t i {}; i < response->containers_len; i++) { -@@ -718,12 +718,12 @@ void ContainerManagerService::ListContainersToGRPC(container_list_response *resp - CRIHelpersV1Alpha::ContainerStatusToRuntime(Container_Status(response->containers[i]->status)); - container->set_state(state); - -- pods->push_back(move(container)); -+ pods.push_back(move(container)); - } - } - - void ContainerManagerService::ListContainers(const runtime::v1alpha2::ContainerFilter *filter, -- std::vector> *containers, -+ std::vector> &containers, - Errors &error) - { - if (m_cb == nullptr || m_cb->container.list == nullptr) { -@@ -874,7 +874,7 @@ void ContainerManagerService::PackContainerStatsFilesystemUsage( - - void ContainerManagerService::ContainerStatsToGRPC( - container_stats_response *response, -- std::vector> *containerstats, Errors &error) -+ std::vector> &containerstats, Errors &error) - { - if (response == nullptr) { - return; -@@ -924,22 +924,18 @@ void ContainerManagerService::ContainerStatsToGRPC( - if (response->container_stats[i]->major_page_faults != 0u) { - container->mutable_memory()->mutable_major_page_faults()->set_value(response->container_stats[i]->major_page_faults); - } -- containerstats->push_back(std::move(container)); -+ containerstats.push_back(std::move(container)); - } - } - - void ContainerManagerService::ListContainerStats( - const runtime::v1alpha2::ContainerStatsFilter *filter, -- std::vector> *containerstats, Errors &error) -+ std::vector> &containerstats, Errors &error) - { - if (m_cb == nullptr || m_cb->container.stats == nullptr) { - error.SetError("Unimplemented callback"); - return; - } -- if (containerstats == nullptr) { -- error.SetError("Invalid arguments"); -- return; -- } - - container_stats_response *response { nullptr }; - container_stats_request *request = (container_stats_request *)util_common_calloc_s(sizeof(container_stats_request)); -@@ -1016,7 +1012,7 @@ auto ContainerManagerService::ContainerStats(const std::string &containerID, Err - goto cleanup; - } - -- ContainerStatsToGRPC(response, &contStatsVec, error); -+ ContainerStatsToGRPC(response, contStatsVec, error); - if (error.NotEmpty()) { - goto cleanup; - } -diff --git a/src/daemon/entry/cri/v1alpha/cri_container_manager_service.h b/src/daemon/entry/cri/v1alpha/cri_container_manager_service.h -index ea22b1cd..f802d3bc 100644 ---- a/src/daemon/entry/cri/v1alpha/cri_container_manager_service.h -+++ b/src/daemon/entry/cri/v1alpha/cri_container_manager_service.h -@@ -47,10 +47,10 @@ public: - void RemoveContainer(const std::string &containerID, Errors &error); - - void ListContainers(const runtime::v1alpha2::ContainerFilter *filter, -- std::vector> *containers, Errors &error); -+ std::vector> &containers, Errors &error); - - void ListContainerStats(const runtime::v1alpha2::ContainerStatsFilter *filter, -- std::vector> *containerstats, -+ std::vector> &containerstats, - Errors &error); - - auto ContainerStats(const std::string &containerID, Errors &error) -@@ -97,11 +97,11 @@ private: - void ListContainersFromGRPC(const runtime::v1alpha2::ContainerFilter *filter, container_list_request **request, - Errors &error); - void ListContainersToGRPC(container_list_response *response, -- std::vector> *pods, Errors &error); -+ std::vector> &pods, Errors &error); - auto PackContainerStatsFilter(const runtime::v1alpha2::ContainerStatsFilter *filter, - container_stats_request *request, Errors &error) -> int; - void ContainerStatsToGRPC(container_stats_response *response, -- std::vector> *containerstats, -+ std::vector> &containerstats, - Errors &error); - void PackContainerStatsAttributes(const char *id, std::unique_ptr &container, - Errors &error); -diff --git a/src/daemon/entry/cri/v1alpha/cri_image_manager_service.h b/src/daemon/entry/cri/v1alpha/cri_image_manager_service.h -index b6e506d5..9b2530ab 100644 ---- a/src/daemon/entry/cri/v1alpha/cri_image_manager_service.h -+++ b/src/daemon/entry/cri/v1alpha/cri_image_manager_service.h -@@ -28,7 +28,7 @@ public: - virtual ~ImageManagerService() = default; - - virtual void ListImages(const runtime::v1alpha2::ImageFilter &filter, -- std::vector> *images, Errors &error) = 0; -+ std::vector> &images, Errors &error) = 0; - - virtual auto ImageStatus(const runtime::v1alpha2::ImageSpec &image, - Errors &error) -> std::unique_ptr = 0; -@@ -38,7 +38,7 @@ public: - - virtual void RemoveImage(const runtime::v1alpha2::ImageSpec &image, Errors &error) = 0; - -- virtual void ImageFsInfo(std::vector> *usages, -+ virtual void ImageFsInfo(std::vector> &usages, - Errors &error) = 0; - }; - } // namespace CRI -diff --git a/src/daemon/entry/cri/v1alpha/cri_image_manager_service_impl.cc b/src/daemon/entry/cri/v1alpha/cri_image_manager_service_impl.cc -index ad9e8ef1..3ff79ffc 100644 ---- a/src/daemon/entry/cri/v1alpha/cri_image_manager_service_impl.cc -+++ b/src/daemon/entry/cri/v1alpha/cri_image_manager_service_impl.cc -@@ -133,7 +133,7 @@ auto ImageManagerServiceImpl::list_request_from_grpc(const runtime::v1alpha2::Im - } - - void ImageManagerServiceImpl::list_images_to_grpc(im_list_response *response, -- std::vector> *images, -+ std::vector> &images, - Errors &error) - { - imagetool_images_list *list_images = response->images; -@@ -150,12 +150,12 @@ void ImageManagerServiceImpl::list_images_to_grpc(im_list_response *response, - - imagetool_image_summary *element = list_images->images[i]; - conv_image_to_grpc(element, image); -- images->push_back(move(image)); -+ images.push_back(move(image)); - } - } - - void ImageManagerServiceImpl::ListImages(const runtime::v1alpha2::ImageFilter &filter, -- std::vector> *images, Errors &error) -+ std::vector> &images, Errors &error) - { - im_list_request *request { nullptr }; - im_list_response *response { nullptr }; -@@ -331,7 +331,7 @@ cleanup: - } - - void ImageManagerServiceImpl::fs_info_to_grpc(im_fs_info_response *response, -- std::vector> *fs_infos, -+ std::vector> &fs_infos, - Errors & /*error*/) - { - imagetool_fs_info *got_fs_info = response->fs_info; -@@ -381,11 +381,11 @@ void ImageManagerServiceImpl::fs_info_to_grpc(im_fs_info_response *response, - fs_info->set_allocated_inodes_used(inodes_used); - } - -- fs_infos->push_back(std::move(fs_info)); -+ fs_infos.push_back(std::move(fs_info)); - } - } - --void ImageManagerServiceImpl::ImageFsInfo(std::vector> *usages, -+void ImageManagerServiceImpl::ImageFsInfo(std::vector> &usages, - Errors &error) - { - im_fs_info_response *response { nullptr }; -diff --git a/src/daemon/entry/cri/v1alpha/cri_image_manager_service_impl.h b/src/daemon/entry/cri/v1alpha/cri_image_manager_service_impl.h -index b94f8908..edf482c9 100644 ---- a/src/daemon/entry/cri/v1alpha/cri_image_manager_service_impl.h -+++ b/src/daemon/entry/cri/v1alpha/cri_image_manager_service_impl.h -@@ -30,7 +30,7 @@ public: - virtual ~ImageManagerServiceImpl() = default; - - void ListImages(const runtime::v1alpha2::ImageFilter &filter, -- std::vector> *images, Errors &error) override; -+ std::vector> &images, Errors &error) override; - - std::unique_ptr ImageStatus(const runtime::v1alpha2::ImageSpec &image, - Errors &error) override; -@@ -40,7 +40,7 @@ public: - - void RemoveImage(const runtime::v1alpha2::ImageSpec &image, Errors &error) override; - -- void ImageFsInfo(std::vector> *usages, Errors &error) override; -+ void ImageFsInfo(std::vector> &usages, Errors &error) override; - - private: - int pull_request_from_grpc(const runtime::v1alpha2::ImageSpec *image, const runtime::v1alpha2::AuthConfig *auth, -@@ -48,7 +48,7 @@ private: - - int list_request_from_grpc(const runtime::v1alpha2::ImageFilter *filter, im_list_request **request, Errors &error); - -- void list_images_to_grpc(im_list_response *response, std::vector> *images, -+ void list_images_to_grpc(im_list_response *response, std::vector> &images, - Errors &error); - - int status_request_from_grpc(const runtime::v1alpha2::ImageSpec *image, im_summary_request **request, -@@ -57,7 +57,7 @@ private: - std::unique_ptr status_image_to_grpc(im_summary_response *response, Errors &error); - - void fs_info_to_grpc(im_fs_info_response *response, -- std::vector> *fs_infos, Errors &error); -+ std::vector> &fs_infos, Errors &error); - - int remove_request_from_grpc(const runtime::v1alpha2::ImageSpec *image, im_rmi_request **request, Errors &error); - }; -diff --git a/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.cc b/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.cc -index d23e7754..c24c1f69 100644 ---- a/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.cc -+++ b/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.cc -@@ -1246,7 +1246,7 @@ void PodSandboxManagerService::ListPodSandboxFromGRPC(const runtime::v1alpha2::P - } - - void PodSandboxManagerService::ListPodSandboxToGRPC(container_list_response *response, -- std::vector> *pods, -+ std::vector> &pods, - bool filterOutReadySandboxes, Errors &error) - { - for (size_t i = 0; i < response->containers_len; i++) { -@@ -1272,12 +1272,12 @@ void PodSandboxManagerService::ListPodSandboxToGRPC(container_list_response *res - continue; - } - -- pods->push_back(std::move(pod)); -+ pods.push_back(std::move(pod)); - } - } - - void PodSandboxManagerService::ListPodSandbox(const runtime::v1alpha2::PodSandboxFilter *filter, -- std::vector> *pods, -+ std::vector> &pods, - Errors &error) - { - int ret = 0; -@@ -1464,7 +1464,7 @@ void PodSandboxManagerService::PackagePodSandboxContainerStats( - runtime::v1alpha2::ContainerStatsFilter filter; - - filter.set_pod_sandbox_id(id); -- containerManager->ListContainerStats(&filter, &containerStats, error); -+ containerManager->ListContainerStats(&filter, containerStats, error); - if (error.NotEmpty()) { - error.Errorf("Failed to list container stats: %s", error.GetCMessage()); - return; -@@ -1689,7 +1689,7 @@ cleanup: - - void PodSandboxManagerService::ListPodSandboxStats(const runtime::v1alpha2::PodSandboxStatsFilter *filter, - const std::unique_ptr &containerManager, -- std::vector> *podsStats, -+ std::vector> &podsStats, - Errors &error) - { - std::vector podSandboxIDs; -@@ -1714,7 +1714,7 @@ void PodSandboxManagerService::ListPodSandboxStats(const runtime::v1alpha2::PodS - continue; - } - -- podsStats->push_back(move(podStats)); -+ podsStats.push_back(move(podStats)); - } - } - -diff --git a/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.h b/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.h -index 2f4505df..1a075f86 100644 ---- a/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.h -+++ b/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.h -@@ -57,7 +57,7 @@ public: - -> std::unique_ptr; - - void ListPodSandbox(const runtime::v1alpha2::PodSandboxFilter *filter, -- std::vector> *pods, Errors &error); -+ std::vector> &pods, Errors &error); - - auto PodSandboxStats(const std::string &podSandboxID, - const std::unique_ptr &containerManager, -@@ -65,7 +65,7 @@ public: - - void ListPodSandboxStats(const runtime::v1alpha2::PodSandboxStatsFilter *filter, - const std::unique_ptr &containerManager, -- std::vector> *podsStats, -+ std::vector> &podsStats, - Errors &error); - - void PortForward(const runtime::v1alpha2::PortForwardRequest &req, runtime::v1alpha2::PortForwardResponse *resp, -@@ -130,7 +130,7 @@ private: - void ListPodSandboxFromGRPC(const runtime::v1alpha2::PodSandboxFilter *filter, container_list_request **request, - bool *filterOutReadySandboxes, Errors &error); - void ListPodSandboxToGRPC(container_list_response *response, -- std::vector> *pods, -+ std::vector> &pods, - bool filterOutReadySandboxes, Errors &error); - void UpdatePodSandboxNetworkSettings(const std::string &id, const std::string &json, Errors &error); - auto GetNsenterPath(Errors &error) -> std::string; -diff --git a/src/daemon/entry/cri/v1alpha/cri_runtime_service.h b/src/daemon/entry/cri/v1alpha/cri_runtime_service.h -index d157237c..79f61a44 100644 ---- a/src/daemon/entry/cri/v1alpha/cri_runtime_service.h -+++ b/src/daemon/entry/cri/v1alpha/cri_runtime_service.h -@@ -43,10 +43,10 @@ public: - virtual void RemoveContainer(const std::string &containerID, Errors &error) = 0; - - virtual void ListContainers(const runtime::v1alpha2::ContainerFilter *filter, -- std::vector> *containers, Errors &error) = 0; -+ std::vector> &containers, Errors &error) = 0; - - virtual void ListContainerStats(const runtime::v1alpha2::ContainerStatsFilter *filter, -- std::vector> *containerstats, -+ std::vector> &containerstats, - Errors &error) = 0; - - virtual auto ContainerStats(const std::string &containerID, -@@ -74,13 +74,13 @@ public: - Errors &error) -> std::unique_ptr = 0; - - virtual void ListPodSandbox(const runtime::v1alpha2::PodSandboxFilter *filter, -- std::vector> *pods, Errors &error) = 0; -+ std::vector> &pods, Errors &error) = 0; - - virtual auto PodSandboxStats(const std::string &podSandboxID, - Errors &error) -> std::unique_ptr = 0; - - virtual void ListPodSandboxStats(const runtime::v1alpha2::PodSandboxStatsFilter *filter, -- std::vector> *podsStats, -+ std::vector> &podsStats, - Errors &error) = 0; - - virtual void UpdateContainerResources(const std::string &containerID, -diff --git a/src/daemon/entry/cri/v1alpha/cri_runtime_service_impl.cc b/src/daemon/entry/cri/v1alpha/cri_runtime_service_impl.cc -index 778b0b69..d50e23e9 100644 ---- a/src/daemon/entry/cri/v1alpha/cri_runtime_service_impl.cc -+++ b/src/daemon/entry/cri/v1alpha/cri_runtime_service_impl.cc -@@ -57,7 +57,7 @@ void CRIRuntimeServiceImpl::RemoveContainer(const std::string &containerID, Erro - } - - void CRIRuntimeServiceImpl::ListContainers(const runtime::v1alpha2::ContainerFilter *filter, -- std::vector> *containers, -+ std::vector> &containers, - Errors &error) - { - m_containerManager->ListContainers(filter, containers, error); -@@ -65,7 +65,7 @@ void CRIRuntimeServiceImpl::ListContainers(const runtime::v1alpha2::ContainerFil - - void CRIRuntimeServiceImpl::ListContainerStats( - const runtime::v1alpha2::ContainerStatsFilter *filter, -- std::vector> *containerstats, Errors &error) -+ std::vector> &containerstats, Errors &error) - { - m_containerManager->ListContainerStats(filter, containerstats, error); - } -@@ -131,7 +131,7 @@ auto CRIRuntimeServiceImpl::PodSandboxStatus(const std::string &podSandboxID, Er - } - - void CRIRuntimeServiceImpl::ListPodSandbox(const runtime::v1alpha2::PodSandboxFilter *filter, -- std::vector> *pods, -+ std::vector> &pods, - Errors &error) - { - m_podSandboxManager->ListPodSandbox(filter, pods, error); -@@ -145,7 +145,7 @@ auto CRIRuntimeServiceImpl::PodSandboxStats(const std::string &podSandboxID, Err - - void - CRIRuntimeServiceImpl::ListPodSandboxStats(const runtime::v1alpha2::PodSandboxStatsFilter *filter, -- std::vector> *podsStats, -+ std::vector> &podsStats, - Errors &error) - { - m_podSandboxManager->ListPodSandboxStats(filter, m_containerManager, podsStats, error); -diff --git a/src/daemon/entry/cri/v1alpha/cri_runtime_service_impl.h b/src/daemon/entry/cri/v1alpha/cri_runtime_service_impl.h -index f2323524..23c8a400 100644 ---- a/src/daemon/entry/cri/v1alpha/cri_runtime_service_impl.h -+++ b/src/daemon/entry/cri/v1alpha/cri_runtime_service_impl.h -@@ -45,10 +45,10 @@ public: - void RemoveContainer(const std::string &containerID, Errors &error) override; - - void ListContainers(const runtime::v1alpha2::ContainerFilter *filter, -- std::vector> *containers, Errors &error) override; -+ std::vector> &containers, Errors &error) override; - - void ListContainerStats(const runtime::v1alpha2::ContainerStatsFilter *filter, -- std::vector> *containerstats, -+ std::vector> &containerstats, - Errors &error) override; - - auto ContainerStats(const std::string &containerID, Errors &error) -@@ -76,13 +76,13 @@ public: - -> std::unique_ptr override; - - void ListPodSandbox(const runtime::v1alpha2::PodSandboxFilter *filter, -- std::vector> *pods, Errors &error) override; -+ std::vector> &pods, Errors &error) override; - - auto PodSandboxStats(const std::string &podSandboxID, - Errors &error) -> std::unique_ptr override; - - void ListPodSandboxStats(const runtime::v1alpha2::PodSandboxStatsFilter *filter, -- std::vector> *podsStats, -+ std::vector> &podsStats, - Errors &error) override; - - void UpdateContainerResources(const std::string &containerID, --- -2.25.1 - diff --git a/0007-2244-Save-task-address-of-shim-v2.patch b/0007-2244-Save-task-address-of-shim-v2.patch new file mode 100644 index 0000000..c7bf391 --- /dev/null +++ b/0007-2244-Save-task-address-of-shim-v2.patch @@ -0,0 +1,209 @@ +From 23945e20c418595a7a4037e9258f23aa7bed6b48 Mon Sep 17 00:00:00 2001 +From: jake +Date: Mon, 13 Nov 2023 08:15:12 +0000 +Subject: [PATCH 07/14] !2244 Save task address of shim v2 * Save task address + of shim v2 + +--- + .../v1/v1_cri_container_manager_service.cc | 6 ++ + .../v1alpha/cri_container_manager_service.cc | 5 ++ + src/daemon/modules/runtime/shim/shim_rt_ops.c | 86 ++++++++++++++----- + 3 files changed, 74 insertions(+), 23 deletions(-) + +diff --git a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc +index 1f20d2d2..f635df2b 100644 +--- a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc ++++ b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc +@@ -1013,6 +1013,12 @@ auto ContainerManagerService::ContainerStats(const std::string &containerID, Err + if (error.NotEmpty()) { + goto cleanup; + } ++ if (contStatsVec.size() == 0) { ++ ERROR("Failed to get container stats"); ++ error.SetError("Failed to get container stats"); ++ goto cleanup; ++ } ++ + contStats = std::move(contStatsVec[0]); + + cleanup: +diff --git a/src/daemon/entry/cri/v1alpha/cri_container_manager_service.cc b/src/daemon/entry/cri/v1alpha/cri_container_manager_service.cc +index 6f8ca114..9da25768 100644 +--- a/src/daemon/entry/cri/v1alpha/cri_container_manager_service.cc ++++ b/src/daemon/entry/cri/v1alpha/cri_container_manager_service.cc +@@ -1019,6 +1019,11 @@ auto ContainerManagerService::ContainerStats(const std::string &containerID, Err + if (error.NotEmpty()) { + goto cleanup; + } ++ if (contStatsVec.size() == 0) { ++ ERROR("Failed to get container stats"); ++ error.SetError("Failed to get container stats"); ++ goto cleanup; ++ } + contStats = std::move(contStatsVec[0]); + + cleanup: +diff --git a/src/daemon/modules/runtime/shim/shim_rt_ops.c b/src/daemon/modules/runtime/shim/shim_rt_ops.c +index d348dfe1..550b17f3 100644 +--- a/src/daemon/modules/runtime/shim/shim_rt_ops.c ++++ b/src/daemon/modules/runtime/shim/shim_rt_ops.c +@@ -16,13 +16,17 @@ + #define _GNU_SOURCE + + #include "shim_rt_ops.h" ++ + #include + #include + #include + #include + #include +-#include "isula_libutils/log.h" +-#include "isula_libutils/shim_client_process_state.h" ++ ++#include ++#include ++#include ++ + #include "utils.h" + #include "utils_string.h" + #include "constants.h" +@@ -318,16 +322,46 @@ bool rt_shim_detect(const char *runtime) + return false; + } + ++static int save_shim_v2_address(const char *bundle, const char *addr) ++{ ++ int nret; ++ char filename[PATH_MAX] = { 0 }; ++ ++ if (bundle == NULL) { ++ ERROR("Invalid input params"); ++ return -1; ++ } ++ ++ if (addr == NULL || strlen(addr) == 0) { ++ ERROR("Invalid shim v2 addr"); ++ return -1; ++ } ++ ++ nret = snprintf(filename, sizeof(filename), "%s/%s", bundle, "address"); ++ if (nret < 0 || (size_t)nret >= sizeof(filename)) { ++ ERROR("Failed to print string"); ++ return -1; ++ } ++ ++ nret = util_atomic_write_file(filename, addr, strlen(addr), CONFIG_FILE_MODE, false); ++ if (nret != 0) { ++ ERROR("Failed to write file %s", filename); ++ return -1; ++ } ++ ++ return 0; ++} ++ + int rt_shim_create(const char *id, const char *runtime, const rt_create_params_t *params) + { + int ret = 0; + int pid = 0; + int fd = -1; + const char *task_address = NULL; +- char addr[PATH_MAX] = {0}; +- char *exit_fifo_path = NULL; +- char *state_path = NULL; +- char *log_path = NULL; ++ char response[PATH_MAX] = {0}; ++ __isula_auto_free char *exit_fifo_path = NULL; ++ __isula_auto_free char *state_path = NULL; ++ __isula_auto_free char *log_path = NULL; + + if (id == NULL || runtime == NULL || params == NULL) { + ERROR("Invalid input params"); +@@ -337,29 +371,25 @@ int rt_shim_create(const char *id, const char *runtime, const rt_create_params_t + exit_fifo_path = util_path_dir(params->exit_fifo); + if (exit_fifo_path == NULL) { + ERROR("%s: failed to get exit fifo dir from %s", id, params->exit_fifo); +- ret = -1; +- goto out; ++ return -1; + } + + state_path = util_path_dir(exit_fifo_path); + if (state_path == NULL) { + ERROR("%s:failed to get state dir from %s", id, exit_fifo_path); +- ret = -1; +- goto out; ++ return -1; + } + + log_path = util_string_append(SHIM_V2_LOG, params->bundle); + if (log_path == NULL) { + ERROR("Fail to append log path"); +- ret = -1; +- goto out; ++ return -1; + } + + fd = util_open(log_path, O_RDWR | O_CREAT | O_TRUNC, DEFAULT_SECURE_FILE_MODE); + if (fd < 0) { + ERROR("Failed to create log file for shim v2: %s", log_path); +- ret = -1; +- goto out; ++ return -1; + } + close(fd); + +@@ -367,13 +397,13 @@ int rt_shim_create(const char *id, const char *runtime, const rt_create_params_t + * If task address is not set, create a new shim-v2 and get the address. + * If task address is set, use it directly. + */ +- if (params->task_addr == NULL) { +- if (shim_bin_v2_create(runtime, id, params->bundle, NULL, addr, state_path) != 0) { ++ if (params->task_addr == NULL || strlen(params->task_addr) == 0) { ++ if (shim_bin_v2_create(runtime, id, params->bundle, NULL, response, state_path) != 0) { + ERROR("%s: failed to create v2 shim", id); +- ret = -1; +- goto out; ++ return -1; + } +- task_address = addr; ++ ++ task_address = response; + } else { + task_address = params->task_addr; + } +@@ -392,10 +422,20 @@ int rt_shim_create(const char *id, const char *runtime, const rt_create_params_t + goto out; + } + ++ if (save_shim_v2_address(params->bundle, task_address) != 0) { ++ ERROR("%s: failed to save shim v2 address", id); ++ ret = -1; ++ goto out; ++ } ++ ++ return 0; ++ + out: +- free(log_path); +- free(exit_fifo_path); +- free(state_path); ++ if (ret != 0) { ++ if (shim_v2_kill(id, NULL, SIGKILL, false) != 0) { ++ ERROR("%s: kill shim v2 failed", id); ++ } ++ } + return ret; + } + +@@ -614,7 +654,7 @@ int rt_shim_status(const char *id, const char *runtime, const rt_status_params_t + return -1; + } + +- if (params->task_address != NULL) { ++ if (params->task_address != NULL && strlen(params->task_address) != 0) { + if (strlen(params->task_address) >= PATH_MAX) { + ERROR("Invalid task address"); + return -1; +-- +2.42.0 + diff --git a/0008-2233-add-runc-append-function-design-doc.patch b/0008-2233-add-runc-append-function-design-doc.patch new file mode 100644 index 0000000..c1fc023 --- /dev/null +++ b/0008-2233-add-runc-append-function-design-doc.patch @@ -0,0 +1,110 @@ +From 426b309efdee934f61a6fb27b278711aa5419dd5 Mon Sep 17 00:00:00 2001 +From: zhongtao +Date: Mon, 13 Nov 2023 08:22:46 +0000 +Subject: [PATCH 08/14] !2233 add runc append function design doc * add runc + append function design doc + +--- + .../detailed/Runtime/runc_design_append.md | 75 +++++++++++++++++++ + docs/images/runc_isula_attach_flow_chart.svg | 5 ++ + 2 files changed, 80 insertions(+) + create mode 100644 docs/design/detailed/Runtime/runc_design_append.md + create mode 100644 docs/images/runc_isula_attach_flow_chart.svg + +diff --git a/docs/design/detailed/Runtime/runc_design_append.md b/docs/design/detailed/Runtime/runc_design_append.md +new file mode 100644 +index 00000000..aa17f558 +--- /dev/null ++++ b/docs/design/detailed/Runtime/runc_design_append.md +@@ -0,0 +1,75 @@ ++| Author | zhongtao | ++| ------ | --------------------- | ++| Date | 2023-10-19 | ++| Email | zhongtao17@huawei.com | ++ ++# 方案目标 ++ ++isulad当前默认的runtime为lcr + lxc,具有高性能的特点。但是该runtime是通过oci规范转换为lxc规范实现的,而且在lxc中进行了较多适配修改。 ++ ++随着oci 规范的日益成熟,oci规范实现的runtime能满足各种场景需求。因此iSulad实现基于oci 规范的runtime对接,具有底噪更低的优势。 ++ ++需求目标分为以下5点: ++ ++1. 对于isula 命令行支持 oci runtime 容器的功能进行全量排查,识别缺失功能。 ++2. 补齐缺失功能,保证切换默认runtime为runc之后功能的完整性,并针对新增功能补充对应的单元测试与门禁测试。 ++3. 梳理isulad-shim依赖情况,解耦isulad-shim依赖,减少runc容器底噪,并且提高稳定性(静态编译isulad-shim,从而使得isulad-shim不依赖isulad版本,支持isulad热升级) ++4. 重构社区门禁CI框架,支持多 runtime 测试。 ++ ++# 总体设计 ++ ++由于isulad与runc之间的交互存在gap,且将容器创建成功之后,容器进程的生命周期与isulad进程的生命周期没有必然联系,因此isulad设计了一个isulad-shim进程,用于isulad与runc的交互并将isulad与容器实例解耦。 ++ ++isulad 与 isulad-shim的关系以及整体结构请参照:[runc_design](./runc_design_zh.md) 。 ++ ++由于isula attach 涉及到attach中新建的fifo fd与容器首进程io进行数据交换,因此需要isulad与容器首进程对应的isulad-shim进行通信,完成建立io 连接并进行io copy操作。 ++ ++isula top 命令仅需要在isulad中直接调用runc二进制。 ++# 接口描述 ++ ++## isula_rt_ops模块 ++ ++```c ++ ++int rt_isula_attach(const char *id, const char *runtime, const rt_attach_params_t *params); ++ ++int rt_isula_listpids(const char *name, const char *runtime, const rt_listpids_params_t *params, ++ rt_listpids_out_t *out); ++``` ++# 详细设计 ++ ++## attach 实现流程 ++ ++### 流程图 ++ ++![runc_isula_attach_flow_chart](../../../images/runc_isula_attach_flow_chart.svg) ++ ++### 详细流程 ++ ++isulad端: ++ ++1. 创建容器时(rt_isula_create),传递给isulad-shim attach socket path; ++2. 进行attach操作时(rt_isula_attach),先根据 attach socket path与isulad-shim的socket server端建立连接,获得通信的socket fd。 ++3. 将attach 的stdin stdout与stderr fifo路径写入到socket fd中。 ++4. 从socket fd中读取isulad-shim是否成功将attach的fd加入到epoll中成功连接,若成功则直接成功返回,若失败则获取attach-log.json文件中的报错信息后报错返回。 ++ ++isulad-shim端: ++ ++1. create isulad-shim进程时,若传递的process 中包含 attach socket path, 则创建一个本地unix socket文件,用于isulad与isulad-shim之间通信。本地unix socket文件打开获得attach_isulad_fd,将attach_isulad_fd加入到epoll需要监听的fd中。 ++2. 收到attach_isulad_fd的事件后,调用do_attach_socket_accept函数,accept到通信的conn_fd后,将conn_fd加入到epoll需要监听的fd中。 ++3. 在收到conn_fd事件后,调用attach_fd函数。attach_fd函数中从attach_isulad_fd中读出stdin stdout与stderr路径,之后在shim中打开fd。将stdin对应的fd加入epoll监听列表中,有事件时调用stdin_cb。若容器有输入与输出,则除了写入到初始isulad fd中之外,还需要写入到attach的fd list中。 ++ ++### 新增文件 ++1. /run/isulad/runc/{container_id}/attach_socket.sock 用于isulad与isulad-shim attach通信 ++2. /run/isulad/runc/{container_id}/attach-log.json 用于记录isulad-shim中attach的报错信息。目前所有的attach操作共用一个attach文件 ++ ++### 未来规划 ++1. runc容器的attach支持魔术符退出(CTRL + Q),退出后不影响容器首进程的运行,也不影响其他并发的attach操作。 ++2. 由于支持魔术符退出,在GRPC版本中,可设置了ISULAD_INFO_DETACH错误码,用于标识用户输入魔术符退出,而rest版本中由于实现差异,无法识别exit退出与魔术符退出的差异,因此在魔术符退出时,会存在一条INFO级别的报错信息:`INFO("Wait container stopped status timeout.");` ++ ++## top 实现流程 ++ ++isulad端: ++ ++1. 直接调用runc二进制ps容器:runtime_call_simple(), 设置选项" --format json"; ++2. 直接解析调用返回的stdout中的容器进程pid,将其写入到rt_listpids_out_t结构体中; +\ No newline at end of file +diff --git a/docs/images/runc_isula_attach_flow_chart.svg b/docs/images/runc_isula_attach_flow_chart.svg +new file mode 100644 +index 00000000..e57a4ec0 +--- /dev/null ++++ b/docs/images/runc_isula_attach_flow_chart.svg +@@ -0,0 +1,5 @@ ++ ++ ++ ++ ++ rt_isula_createattach socket pathcreate local unix socket forattach: attach_socket_fdruntime_createisuladisulad-shimmanagecontainerfirst processadd attach_socket_fd to epoll looprt_isula_attachconnectget_attach_socketfddo_attach_socket_acceptadd conn_fd to epoll loopwrite attach isulad fdto socket fdget_container_attach_exitcodeattach_cbread isulad fd from attach conn fdeventattach connections nums exceeds the limit?yeserror exitwrite -1 to conn fdnoadd_attach_terminal_fifosadd fifofd_in fd to epoll loopsuccess exitwrite 0 to conn fdIoCopy threadisula_epoll_loop threadsio stream +\ No newline at end of file +-- +2.42.0 + diff --git a/0008-Add-vsock-support-for-exec.patch b/0008-Add-vsock-support-for-exec.patch deleted file mode 100644 index 029a6c6..0000000 --- a/0008-Add-vsock-support-for-exec.patch +++ /dev/null @@ -1,1123 +0,0 @@ -From ee941bd9f7520eb1160d6fb8a80cca2552f5d990 Mon Sep 17 00:00:00 2001 -From: xuxuepeng -Date: Thu, 7 Sep 2023 20:11:55 +0800 -Subject: [PATCH 08/32] Add vsock support for exec - -Signed-off-by: xuxuepeng ---- - src/daemon/modules/service/CMakeLists.txt | 4 + - .../modules/service/service_container.c | 90 +- - .../modules/service/vsock_io_handler.cc | 812 ++++++++++++++++++ - src/daemon/modules/service/vsock_io_handler.h | 46 + - src/daemon/sandbox/sandbox.cc | 21 + - src/daemon/sandbox/sandbox.h | 6 + - 6 files changed, 966 insertions(+), 13 deletions(-) - create mode 100644 src/daemon/modules/service/vsock_io_handler.cc - create mode 100644 src/daemon/modules/service/vsock_io_handler.h - -diff --git a/src/daemon/modules/service/CMakeLists.txt b/src/daemon/modules/service/CMakeLists.txt -index b0e9f04a..a7713c15 100644 ---- a/src/daemon/modules/service/CMakeLists.txt -+++ b/src/daemon/modules/service/CMakeLists.txt -@@ -5,6 +5,10 @@ if(NOT ENABLE_NATIVE_NETWORK) - list(REMOVE_ITEM local_service_srcs "${CMAKE_CURRENT_SOURCE_DIR}/service_network.c") - endif() - -+if(NOT ENABLE_CRI_API_V1) -+ list(REMOVE_ITEM local_service_srcs "${CMAKE_CURRENT_SOURCE_DIR}/vsock_io_handler.cc") -+endif() -+ - set(SERVICE_SRCS - ${local_service_srcs} - PARENT_SCOPE -diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c -index a9da669a..c4ee0223 100644 ---- a/src/daemon/modules/service/service_container.c -+++ b/src/daemon/modules/service/service_container.c -@@ -71,6 +71,7 @@ - #include "id_name_manager.h" - #ifdef ENABLE_CRI_API_V1 - #include "sandbox_ops.h" -+#include "vsock_io_handler.h" - #endif - - #define KATA_RUNTIME "kata-runtime" -@@ -2054,9 +2055,41 @@ out: - return ret; - } - --static int exec_prepare_console(const container_t *cont, const container_exec_request *request, int stdinfd, -- struct io_write_wrapper *stdout_handler, struct io_write_wrapper *stderr_handler, -- char **fifos, char **fifopath, int *sync_fd, pthread_t *thread_id) -+#ifdef ENABLE_CRI_API_V1 -+static int exec_prepare_vsock(const container_t *cont, const container_exec_request *request, int stdinfd, -+ struct io_write_wrapper *stdout_handler, struct io_write_wrapper *stderr_handler, -+ char **vsockpaths, int *sync_fd, pthread_t *thread_id) -+{ -+ uint32_t cid; -+ const char *task_address = cont->common_config->sandbox_info->task_address; -+ if (!parse_vsock_path(task_address, &cid, NULL)) { -+ ERROR("Failed to parse vsock path %s", task_address); -+ return -1; -+ } -+ -+ if (!request->attach_stdin && !request->attach_stdout && !request->attach_stderr) { -+ return 0; -+ } -+ -+ if (create_daemon_vsockpaths(cont->common_config->sandbox_info->id, cid, request->attach_stdin, request->attach_stdout, -+ request->attach_stderr, vsockpaths) != 0) { -+ return -1; -+ } -+ -+ *sync_fd = eventfd(0, EFD_CLOEXEC); -+ if (*sync_fd < 0) { -+ SYSERROR("Failed to create eventfd"); -+ return -1; -+ } -+ -+ return start_vsock_io_copy(request->suffix, *sync_fd, false, request->stdin, request->stdout, request->stderr, stdinfd, -+ stdout_handler, stderr_handler, (const char **)vsockpaths, thread_id); -+} -+#endif -+ -+static int exec_prepare_fifo(const container_t *cont, const container_exec_request *request, int stdinfd, -+ struct io_write_wrapper *stdout_handler, struct io_write_wrapper *stderr_handler, -+ char **fifos, char **fifopath, int *sync_fd, pthread_t *thread_id) - { - int ret = 0; - const char *id = cont->common_config->id; -@@ -2070,7 +2103,7 @@ static int exec_prepare_console(const container_t *cont, const container_exec_re - - *sync_fd = eventfd(0, EFD_CLOEXEC); - if (*sync_fd < 0) { -- ERROR("Failed to create eventfd: %s", strerror(errno)); -+ SYSERROR("Failed to create eventfd"); - ret = -1; - goto out; - } -@@ -2084,6 +2117,26 @@ out: - return ret; - } - -+#ifdef ENABLE_CRI_API_V1 -+static bool is_vsock_supported(const container_t *cont) -+{ -+ return cont->common_config->sandbox_info != NULL && -+ is_vsock_path(cont->common_config->sandbox_info->task_address); -+} -+#endif -+ -+static int exec_prepare_console(const container_t *cont, const container_exec_request *request, int stdinfd, -+ struct io_write_wrapper *stdout_handler, struct io_write_wrapper *stderr_handler, -+ char **io_addresses, char **iopath, int *sync_fd, pthread_t *thread_id) -+{ -+#ifdef ENABLE_CRI_API_V1 -+ if (is_vsock_supported(cont)) { -+ return exec_prepare_vsock(cont, request, stdinfd, stdout_handler, stderr_handler, io_addresses, sync_fd, thread_id); -+ } -+#endif -+ return exec_prepare_fifo(cont, request, stdinfd, stdout_handler, stderr_handler, io_addresses, iopath, sync_fd, thread_id); -+} -+ - static void exec_container_end(container_exec_response *response, const container_t *cont, - const char *exec_id, uint32_t cc, - int exit_code, int sync_fd, pthread_t thread_id) -@@ -2117,6 +2170,17 @@ static void exec_container_end(container_exec_response *response, const containe - } - } - -+static void cleanup_exec_console_io(const container_t *cont, const char *fifopath, const char *io_addresses[]) -+{ -+#ifdef ENABLE_CRI_API_V1 -+ if (is_vsock_supported(cont)) { -+ delete_daemon_vsockpaths(cont->common_config->sandbox_info->id, io_addresses); -+ return; -+ } -+#endif -+ delete_daemon_fifos(fifopath, (const char **)io_addresses); -+} -+ - static int get_exec_user_info(const container_t *cont, const char *username, defs_process_user **puser) - { - int ret = 0; -@@ -2178,8 +2242,8 @@ int exec_container(const container_t *cont, const container_exec_request *reques - int sync_fd = -1; - uint32_t cc = ISULAD_SUCCESS; - char *id = NULL; -- char *fifos[3] = { NULL, NULL, NULL }; -- char *fifopath = NULL; -+ char *io_addresses[3] = { NULL, NULL, NULL }; -+ char *iopath = NULL; - pthread_t thread_id = 0; - defs_process_user *puser = NULL; - char exec_command[EVENT_ARGS_MAX] = { 0x00 }; -@@ -2237,13 +2301,13 @@ int exec_container(const container_t *cont, const container_exec_request *reques - } - } - -- if (exec_prepare_console(cont, request, stdinfd, stdout_handler, stderr_handler, fifos, &fifopath, &sync_fd, -+ if (exec_prepare_console(cont, request, stdinfd, stdout_handler, stderr_handler, io_addresses, &iopath, &sync_fd, - &thread_id)) { - cc = ISULAD_ERR_EXEC; - goto pack_response; - } - (void)isulad_monitor_send_container_event(id, EXEC_START, -1, 0, exec_command, NULL); -- if (do_exec_container(cont, cont->runtime, (char * const *)fifos, puser, request, &exit_code)) { -+ if (do_exec_container(cont, cont->runtime, (char * const *)io_addresses, puser, request, &exit_code)) { - cc = ISULAD_ERR_EXEC; - goto pack_response; - } -@@ -2253,11 +2317,11 @@ int exec_container(const container_t *cont, const container_exec_request *reques - - pack_response: - exec_container_end(response, cont, request->suffix, cc, exit_code, sync_fd, thread_id); -- delete_daemon_fifos(fifopath, (const char **)fifos); -- free(fifos[0]); -- free(fifos[1]); -- free(fifos[2]); -- free(fifopath); -+ cleanup_exec_console_io(cont, iopath, (const char **)io_addresses); -+ free(io_addresses[0]); -+ free(io_addresses[1]); -+ free(io_addresses[2]); -+ free(iopath); - free_defs_process_user(puser); - - return (cc == ISULAD_SUCCESS) ? 0 : -1; -diff --git a/src/daemon/modules/service/vsock_io_handler.cc b/src/daemon/modules/service/vsock_io_handler.cc -new file mode 100644 -index 00000000..efc74bc8 ---- /dev/null -+++ b/src/daemon/modules/service/vsock_io_handler.cc -@@ -0,0 +1,812 @@ -+/****************************************************************************** -+ * Copyright (c) Huawei Technologies Co., Ltd. 2023. All rights reserved. -+ * iSulad licensed under the Mulan PSL v2. -+ * You can use this software according to the terms and conditions of the Mulan PSL v2. -+ * You may obtain a copy of Mulan PSL v2 at: -+ * http://license.coscl.org.cn/MulanPSL2 -+ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR -+ * PURPOSE. -+ * See the Mulan PSL v2 for more details. -+ * Author: xuxuepeng -+ * Create: 2023-09-04 -+ * Description: provide vsock io functions -+ ********************************************************************************/ -+#include "vsock_io_handler.h" -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include "console.h" -+#include "utils.h" -+#include "sandbox_manager.h" -+#include "sandbox.h" -+ -+const std::string VSOCK_PREFIX = "vsock://"; -+const int VSOCK_RETRY_INTERVAL = 1000; // 1000ms -+const int VSOCK_RETRY_TIMEOUT = 10000; // 10000ms -+const int MILLI_TO_MICRO = 1000; -+ -+bool is_vsock_path(const char *path) -+{ -+ if (path == NULL) { -+ return false; -+ } -+ std::string path_str = path; -+ if (path_str.find(VSOCK_PREFIX) == 0) { -+ return true; -+ } -+ -+ return false; -+} -+ -+bool parse_vsock_path(const char *vsock_path, uint32_t *cid, uint32_t *port) -+{ -+ uint32_t vsock_cid, vsock_port; -+ -+ if (!is_vsock_path(vsock_path)) { -+ ERROR("Invalid vsock path, %s", vsock_path); -+ return false; -+ } -+ std::string vsock_path_str = vsock_path; -+ std::string vsock_address = vsock_path_str.substr(VSOCK_PREFIX.size()); -+ if (vsock_address.empty()) { -+ ERROR("Invalid vsock address, %s", vsock_path); -+ return false; -+ } -+ -+ // split vsock_address by ':' -+ size_t col_pos = vsock_address.find(':'); -+ if (col_pos == std::string::npos) { -+ ERROR("Failed to find ':' in vsock address, %s", vsock_path); -+ return false; -+ } -+ -+ std::string cid_str = vsock_address.substr(0, col_pos); -+ if (util_safe_uint(cid_str.c_str(), &vsock_cid) != 0) { -+ ERROR("Failed to parse cid, %s", cid_str.c_str()); -+ return false; -+ } -+ -+ std::string port_str = vsock_address.substr(col_pos + 1); -+ if (util_safe_uint(port_str.c_str(), &vsock_port) != 0) { -+ ERROR("Failed to parse port, %s", port_str.c_str()); -+ return false; -+ } -+ -+ if (cid != NULL) { -+ *cid = vsock_cid; -+ } -+ -+ if (port != NULL) { -+ *port = vsock_port; -+ } -+ -+ return true; -+} -+ -+static int find_available_vsock_port_for_sandbox(const char *sandbox_id, uint32_t *port) -+{ -+ if (sandbox_id == NULL || port == NULL) { -+ ERROR("Invalid NULL sandbox id or port"); -+ return -1; -+ } -+ std::string sandbox_id_str = sandbox_id; -+ std::shared_ptr sandbox = sandbox::SandboxManager::GetInstance()->GetSandbox(sandbox_id_str); -+ if (sandbox == nullptr) { -+ ERROR("Failed to find sandbox %s", sandbox_id); -+ return -1; -+ } -+ -+ if (sandbox->FindAvailableVsockPort(*port)) { -+ return 0; -+ } -+ -+ ERROR("Failed to find available vsock port for sandbox %s", sandbox_id); -+ -+ return -1; -+} -+ -+static void release_vsock_port_for_sandbox(const char *sandbox_id, uint32_t port) -+{ -+ if (sandbox_id == NULL) { -+ return; -+ } -+ std::string sandbox_id_str = sandbox_id; -+ std::shared_ptr sandbox = sandbox::SandboxManager::GetInstance()->GetSandbox(sandbox_id_str); -+ if (sandbox == nullptr) { -+ return; -+ } -+ -+ sandbox->ReleaseVsockPort(port); -+} -+ -+static int set_flags(int fd, int flags) -+{ -+ int curflag; -+ int ret; -+ -+ curflag = fcntl(fd, F_GETFL, 0); -+ if (curflag < 0) { -+ SYSERROR("Failed to get flags for vsock fd"); -+ return -1; -+ } -+ -+ ret = fcntl(fd, F_SETFL, curflag | flags); -+ if (ret != 0) { -+ SYSERROR("Failed to set flags for vsock fd"); -+ return -1; -+ } -+ -+ return 0; -+} -+ -+static int vsock_connect(uint32_t cid, uint32_t port) -+{ -+ int fd = -1; -+ struct sockaddr_vm sa = { 0 }; -+ -+ fd = socket(AF_VSOCK, SOCK_STREAM, 0); -+ if (fd < 0) { -+ SYSERROR("Failed to create vsock socket"); -+ return -1; -+ } -+ -+ sa.svm_family = AF_VSOCK; -+ sa.svm_cid = cid; -+ sa.svm_port = port; -+ -+ if (connect(fd, (struct sockaddr *)&sa, sizeof(sa)) !=0) { -+ SYSERROR("Failed to connect vsock socket"); -+ close(fd); -+ return -1; -+ } -+ return fd; -+} -+ -+/* -+ * We setup connection as a client, so we need to wait the server to be ready. -+ * In the following function, we need to keep retrying until connection is established. -+ * The retrying time is 10s. -+ */ -+int vsock_open(const char *vsock_path, int *fdout, int flags) -+{ -+ int ret; -+ int fd = -1; -+ int retry = 0; -+ uint32_t cid; -+ uint32_t port; -+ -+ if (vsock_path == NULL || fdout == NULL) { -+ ERROR("Invalid NULL vsock path or fdout"); -+ return -1; -+ } -+ -+ if (!parse_vsock_path(vsock_path, &cid, &port)) { -+ ERROR("Failed to parse vsock path, %s", vsock_path); -+ return -1; -+ } -+ -+ DEBUG("Open vsock, cid %u, port %u", cid, port); -+ -+ while (retry < VSOCK_RETRY_TIMEOUT) { -+ fd = vsock_connect(cid, port); -+ if (fd >= 0) { -+ break; -+ } -+ DEBUG("Failed to connect vsock socket"); -+ retry += VSOCK_RETRY_INTERVAL; -+ usleep(VSOCK_RETRY_INTERVAL * MILLI_TO_MICRO); -+ } -+ -+ if (retry >= VSOCK_RETRY_TIMEOUT) { -+ ERROR("Failed to connect vsock socket, timeout"); -+ return -1; -+ } -+ -+ ret = set_flags(fd, flags); -+ if (ret < 0) { -+ ERROR("Failed to set flags for vsock fd"); -+ close(fd); -+ return -1; -+ } -+ -+ *fdout = fd; -+ return 0; -+} -+ -+static char *create_single_vsockpath(const char *sandbox_id, uint32_t cid) -+{ -+ uint32_t vsock_port; -+ -+ if (find_available_vsock_port_for_sandbox(sandbox_id, &vsock_port) != 0) { -+ ERROR("Failed to find available vsock port for sandbox %s", sandbox_id); -+ return NULL; -+ } -+ std::string vsock_address = VSOCK_PREFIX + std::to_string(cid) + ":" + std::to_string(vsock_port); -+ -+ DEBUG("Create vsock path %s for sandbox %s", vsock_address.c_str(), sandbox_id); -+ -+ return util_strdup_s(vsock_address.c_str()); -+} -+ -+int create_daemon_vsockpaths(const char *sandbox_id, uint32_t cid, bool attach_stdin, bool attach_stdout, -+ bool attach_stderr, char *vsockpaths[]) -+{ -+ int ret = -1; -+ -+ if (sandbox_id == NULL || vsockpaths == NULL) { -+ return -1; -+ } -+ if (attach_stdin) { -+ vsockpaths[0] = create_single_vsockpath(sandbox_id, cid); -+ if (vsockpaths[0] == NULL) { -+ goto errout; -+ } -+ } -+ -+ if (attach_stdout) { -+ vsockpaths[1] = create_single_vsockpath(sandbox_id, cid); -+ if (vsockpaths[1] == NULL) { -+ goto errout; -+ } -+ } -+ -+ if (attach_stderr) { -+ vsockpaths[2] = create_single_vsockpath(sandbox_id, cid); -+ if (vsockpaths[2] == NULL) { -+ goto errout; -+ } -+ } -+ -+ ret = 0; -+errout: -+ if (ret != 0) { -+ delete_daemon_vsockpaths(sandbox_id, (const char **)vsockpaths); -+ free(vsockpaths[0]); -+ free(vsockpaths[1]); -+ free(vsockpaths[2]); -+ vsockpaths[0] = NULL; -+ vsockpaths[1] = NULL; -+ vsockpaths[2] = NULL; -+ } -+ -+ return ret; -+} -+ -+static void delete_single_vsockpath(const char *sandbox_id, const char *vsockpath) -+{ -+ uint32_t cid; -+ uint32_t port; -+ -+ if (vsockpath == NULL) { -+ return; -+ } -+ if (!parse_vsock_path(vsockpath, &cid, &port)) { -+ ERROR("Failed to parse vsock path, %s", vsockpath); -+ return; -+ } -+ release_vsock_port_for_sandbox(sandbox_id, port); -+} -+ -+void delete_daemon_vsockpaths(const char *sandbox_id, const char *vsockpaths[]) -+{ -+ if (sandbox_id == NULL || vsockpaths == NULL) { -+ return; -+ } -+ if (vsockpaths[0] != NULL) { -+ delete_single_vsockpath(sandbox_id, vsockpaths[0]); -+ } -+ if (vsockpaths[1] != NULL) { -+ delete_single_vsockpath(sandbox_id, vsockpaths[1]); -+ } -+ if (vsockpaths[2] != NULL) { -+ delete_single_vsockpath(sandbox_id, vsockpaths[2]); -+ } -+} -+ -+enum IOFlowType{ -+ IO_SRC = 0, -+ IO_DST, -+ IO_FLOW_INVALID, -+}; -+ -+static ssize_t WriteToFIFO(void *context, const void *data, size_t len) -+{ -+ ssize_t ret; -+ int fd; -+ -+ fd = *(int *)context; -+ ret = util_write_nointr_in_total(fd, static_cast(data), len); -+ if ((ret < 0) || (size_t)ret != len) { -+ SYSERROR("Failed to write %d", fd); -+ return -1; -+ } -+ return ret; -+} -+ -+static ssize_t WriteToFd(void *context, const void *data, size_t len) -+{ -+ ssize_t ret; -+ -+ ret = util_write_nointr(*(int *)context, static_cast(data), len); -+ if (ret < 0 || (size_t)ret != len) { -+ SYSERROR("Failed to write"); -+ return -1; -+ } -+ return ret; -+} -+ -+class IOEntry { -+public: -+ IOEntry() -+ { -+ m_initialized = false; -+ m_fd = -1; -+ m_flags = 0; -+ m_flowType = IO_FLOW_INVALID; -+ } -+ -+ virtual ~IOEntry() = default; -+ -+ virtual int Init() = 0; -+ -+ bool Initialized() const -+ { -+ return m_initialized; -+ } -+ -+ virtual int GetFd() -+ { -+ if (!Initialized()) { -+ return -1; -+ } -+ return m_fd; -+ } -+ -+ virtual struct io_write_wrapper *GetWriter() -+ { -+ if (!Initialized()) { -+ return NULL; -+ } -+ if (m_flowType == IO_SRC) { -+ return NULL; -+ } -+ return &m_writer; -+ } -+ virtual std::string ToString() = 0; -+protected: -+ int m_flags; -+ bool m_initialized; -+ int m_fd; -+ struct io_write_wrapper m_writer; -+ IOFlowType m_flowType; -+}; -+ -+ -+ -+class IOFdEntry : public IOEntry { -+public: -+ IOFdEntry(int fd, IOFlowType flowType): IOEntry() -+ { -+ m_fd = fd; -+ m_flowType = flowType; -+ } -+ -+ ~IOFdEntry() override -+ { -+ if (m_initialized && m_fd >= 0) { -+ close(m_fd); -+ m_fd = -1; -+ } -+ } -+ -+ int Init() override -+ { -+ if (m_initialized) { -+ return 0; -+ } -+ if (m_flowType == IO_DST) { -+ m_writer.context = &m_fd; -+ m_writer.write_func = WriteToFd; -+ } -+ m_initialized = true; -+ return 0; -+ } -+ -+ std::string ToString() override -+ { -+ return "file descriptor " + std::to_string(m_fd); -+ } -+}; -+ -+class IOFifoEntry : public IOEntry { -+public: -+ IOFifoEntry(const char *path, int flags, IOFlowType flowType): IOEntry() -+ { -+ m_fifoPath = path; -+ m_flags = flags; -+ m_flowType = flowType; -+ } -+ -+ ~IOFifoEntry() override -+ { -+ if (m_initialized && m_fd >= 0) { -+ console_fifo_close(m_fd); -+ m_fd = -1; -+ } -+ } -+ -+ int Init() override -+ { -+ if (m_initialized) { -+ return 0; -+ } -+ -+ if (m_flowType == IO_SRC) { -+ if (console_fifo_open(m_fifoPath.c_str(), &m_fd, m_flags) != 0) { -+ ERROR("Failed to open fifo, %s", m_fifoPath.c_str()); -+ return -1; -+ } -+ } else { -+ if (console_fifo_open_withlock(m_fifoPath.c_str(), &m_fd, m_flags)) { -+ ERROR("Failed to open console fifo."); -+ return -1; -+ } -+ m_writer.context = &m_fd; -+ m_writer.write_func = WriteToFIFO; -+ } -+ m_initialized = true; -+ return 0; -+ } -+ -+ std::string ToString() override -+ { -+ return "FIFO " + m_fifoPath; -+ } -+private: -+ std::string m_fifoPath; -+}; -+ -+class IOVsockEntry : public IOEntry { -+public: -+ IOVsockEntry(const char *path, int flags, IOFlowType flowType): IOEntry() -+ { -+ m_vsockPath = path; -+ m_flags = flags; -+ m_flowType = flowType; -+ } -+ -+ ~IOVsockEntry() override -+ { -+ if (m_initialized && m_fd >= 0) { -+ close(m_fd); -+ m_fd = -1; -+ } -+ } -+ -+ int Init() override -+ { -+ if (m_initialized) { -+ return 0; -+ } -+ if (vsock_open(m_vsockPath.c_str(), &m_fd, m_flags) != 0) { -+ ERROR("Failed to open vsock, %s", m_vsockPath.c_str()); -+ return -1; -+ } -+ if (m_flowType != IO_SRC) { -+ m_writer.context = &m_fd; -+ m_writer.write_func = WriteToFd; -+ } -+ m_initialized = true; -+ return 0; -+ } -+ -+ std::string ToString() override -+ { -+ return "vsock " + m_vsockPath; -+ } -+private: -+ std::string m_vsockPath; -+}; -+ -+class IOFuncEntry : public IOEntry { -+public: -+ IOFuncEntry(struct io_write_wrapper *handler, IOFlowType flowType): IOEntry() -+ { -+ m_handler = handler; -+ m_flowType = flowType; -+ } -+ -+ ~IOFuncEntry() override -+ { -+ if (m_initialized && m_handler != NULL) { -+ if (m_handler->close_func != NULL) { -+ m_handler->close_func(m_handler->context, NULL); -+ } -+ m_handler = NULL; -+ } -+ } -+ -+ int Init() override -+ { -+ if (m_initialized) { -+ return 0; -+ } -+ if (m_flowType == IO_SRC) { -+ ERROR("IO func entry should not be used for stdin channel"); -+ return -1; -+ } -+ m_writer.context = m_handler->context; -+ m_writer.write_func = m_handler->write_func; -+ m_writer.close_func = m_handler->close_func; -+ m_initialized = true; -+ return 0; -+ } -+ -+ std::string ToString() override -+ { -+ return "IO func entry"; -+ } -+private: -+ struct io_write_wrapper *m_handler; -+}; -+ -+/** -+ * IOCopy defines the copy relationship between two IO. -+ * It defines source IOEntry to read data from, destination IOEntry to write data to, -+ * and the transfer channel type. -+ */ -+class IOCopy { -+public: -+ IOCopy(std::unique_ptr src, std::unique_ptr dst, transfer_channel_type channel) -+ { -+ m_src = std::move(src); -+ m_dst = std::move(dst); -+ m_channel = channel; -+ } -+ ~IOCopy() = default; -+ IOEntry &GetSrc() -+ { -+ return *m_src; -+ } -+ IOEntry &GetDst() -+ { -+ return *m_dst; -+ } -+ transfer_channel_type GetChannel() -+ { -+ return m_channel; -+ } -+private: -+ std::unique_ptr m_src; -+ std::unique_ptr m_dst; -+ transfer_channel_type m_channel; -+}; -+ -+class IOCopyCollection { -+public: -+ IOCopyCollection() = default; -+ ~IOCopyCollection() = default; -+ void AddIOCopy(std::unique_ptr src, std::unique_ptr dst, transfer_channel_type channel) -+ { -+ m_copies.push_back(std::unique_ptr(new IOCopy(std::move(src), std::move(dst), channel))); -+ } -+ -+ int Init() -+ { -+ for (auto © : m_copies) { -+ if (copy->GetSrc().Init() != 0) { -+ ERROR("Failed to init src IO, %s", copy->GetSrc().ToString().c_str()); -+ return -1; -+ } -+ if (copy->GetDst().Init() != 0) { -+ ERROR("Failed to init dst IO, %s", copy->GetDst().ToString().c_str()); -+ return -1; -+ } -+ } -+ return 0; -+ } -+ -+ size_t Size() -+ { -+ return m_copies.size(); -+ } -+ -+ int *GetSrcFds() -+ { -+ size_t len = m_copies.size(); -+ int *fds = new int[len]; -+ for (size_t i = 0; i < len; i++) { -+ int fd = m_copies[i]->GetSrc().GetFd(); -+ if (fd < 0) { -+ ERROR("Invalid fd: %s", m_copies[i]->GetSrc().ToString().c_str()); -+ delete[] fds; -+ return NULL; -+ } -+ fds[i] = m_copies[i]->GetSrc().GetFd(); -+ } -+ return fds; -+ } -+ -+ struct io_write_wrapper *GetDstWriters() -+ { -+ size_t len = m_copies.size(); -+ struct io_write_wrapper *writers = new struct io_write_wrapper[len]; -+ for (size_t i = 0; i < len; i++) { -+ struct io_write_wrapper *writer = m_copies[i]->GetDst().GetWriter(); -+ if (writer == NULL) { -+ ERROR("Invalid writer: %s", m_copies[i]->GetDst().ToString().c_str()); -+ delete[] writers; -+ return NULL; -+ } -+ writers[i] = *writer; -+ } -+ return writers; -+ } -+ -+ transfer_channel_type *GetChannels() -+ { -+ size_t len = m_copies.size(); -+ transfer_channel_type *channels = new transfer_channel_type[len]; -+ for (size_t i = 0; i < len; i++) { -+ channels[i] = m_copies[i]->GetChannel(); -+ } -+ return channels; -+ } -+ -+private: -+ std::vector> m_copies; -+}; -+ -+/** -+ * IO Copy module basically connect two IO together, and copy data from one to another. -+ * For the IO between iSula/Websocket and iSulad, there are two forms: -+ * 1. FIFO: iSula/Websocket will create three fifo files for communication with iSulad. -+ * 2. FD and Callback: iSula/Websocket will use fd for input Channel with iSulad, -+ * and use callback for output and error Channel. -+ * The IO between iSulad and container could be different types, such as FIFO, VSOCK. -+ -------------------------------------------------------------------------------------- -+ | CHANNEL | iSula/Websocket iSulad container| -+ -------------------------------------------------------------------------------------- -+ | | fifoin | stdin_fd vsocks[0] | -+ | IN | RDWR --------> RD RDWR --------> RD | -+ -------------------------------------------------------------------------------------- -+ | | fifoout | stdout_handler vsocks[1] | -+ | OUT | RD <-------- WR RD <-------- WR | -+ -------------------------------------------------------------------------------------- -+ | | fifoerr stderr_handler vsocks[2] | -+ | ERR | RD <-------- WR RD <-------- WR | -+ -------------------------------------------------------------------------------------- -+*/ -+static void PrepareIOCopyCollection(const char *fifoin, const char *fifoout, const char *fifoerr, -+ int stdin_fd, struct io_write_wrapper *stdout_handler, struct io_write_wrapper *stderr_handler, -+ const char *vsocks[], IOCopyCollection &ioCollection) -+{ -+ if (fifoin != NULL) { -+ ioCollection.AddIOCopy(std::unique_ptr(new IOFifoEntry(fifoin, O_RDONLY | O_NONBLOCK, IO_SRC)), -+ std::unique_ptr(new IOVsockEntry(vsocks[0], O_WRONLY | O_NONBLOCK, IO_DST)), STDIN_CHANNEL); -+ } -+ if (fifoout != NULL) { -+ ioCollection.AddIOCopy(std::unique_ptr(new IOVsockEntry(vsocks[1], O_RDONLY | O_NONBLOCK, IO_SRC)), -+ std::unique_ptr(new IOFifoEntry(fifoout, O_WRONLY | O_NONBLOCK, IO_DST)), STDOUT_CHANNEL); -+ } -+ if (fifoerr != NULL) { -+ ioCollection.AddIOCopy(std::unique_ptr(new IOVsockEntry(vsocks[2], O_RDONLY | O_NONBLOCK, IO_SRC)), -+ std::unique_ptr(new IOFifoEntry(fifoerr, O_WRONLY | O_NONBLOCK, IO_DST)), STDERR_CHANNEL); -+ } -+ if (stdin_fd >= 0) { -+ ioCollection.AddIOCopy(std::unique_ptr(new IOFdEntry(stdin_fd, IO_SRC)), -+ std::unique_ptr(new IOVsockEntry(vsocks[0], O_WRONLY | O_NONBLOCK, IO_DST)), STDIN_CHANNEL); -+ } -+ if (stdout_handler != NULL) { -+ ioCollection.AddIOCopy(std::unique_ptr(new IOVsockEntry(vsocks[1], O_RDONLY | O_NONBLOCK, IO_SRC)), -+ std::unique_ptr(new IOFuncEntry(stdout_handler, IO_DST)), STDOUT_CHANNEL); -+ } -+ if (stderr_handler != NULL) { -+ ioCollection.AddIOCopy(std::unique_ptr(new IOVsockEntry(vsocks[2], O_RDONLY | O_NONBLOCK, IO_SRC)), -+ std::unique_ptr(new IOFuncEntry(stderr_handler, IO_DST)), STDERR_CHANNEL); -+ } -+} -+ -+struct IOCopyThreadArgs { -+ IOCopyCollection ioCollection; -+ int sync_fd; -+ bool detach; -+ std::string exec_id; -+ IOCopyThreadArgs() = default; -+ ~IOCopyThreadArgs() = default; -+}; -+ -+static void *IOCopyThread(void *arg) -+{ -+ if (arg == NULL) { -+ return NULL; -+ } -+ -+ std::unique_ptr threadArg((struct IOCopyThreadArgs *)arg); -+ -+ if (threadArg->detach) { -+ if (pthread_detach(pthread_self()) != 0) { -+ CRIT("Set thread detach fail"); -+ return NULL; -+ } -+ } -+ -+ std::string tname = "IoCopy"; -+ if (!threadArg->exec_id.empty()) { -+ // The name of the thread cannot be longer than 16 bytes, -+ // so just use the first 4 bytes of exec_id as thread name. -+ tname = "IoCopy-" + threadArg->exec_id.substr(0, 4); -+ } -+ -+ (void)prctl(PR_SET_NAME, tname.c_str()); -+ -+ if (threadArg->ioCollection.Init() != 0) { -+ ERROR("Failed to init IO copy collection"); -+ return NULL; -+ } -+ -+ size_t len = threadArg->ioCollection.Size(); -+ if (len == 0) { -+ ERROR("No IO copy to be done"); -+ return NULL; -+ } -+ -+ std::unique_ptr srcfds(threadArg->ioCollection.GetSrcFds()); -+ if (srcfds == NULL) { -+ ERROR("Failed to get src fds"); -+ return NULL; -+ } -+ -+ std::unique_ptr writers(threadArg->ioCollection.GetDstWriters()); -+ if (writers == NULL) { -+ ERROR("Failed to get dst writers"); -+ return NULL; -+ } -+ -+ std::unique_ptr channels(threadArg->ioCollection.GetChannels()); -+ if (channels == NULL) { -+ ERROR("Failed to get channels"); -+ return NULL; -+ } -+ -+ (void)console_loop_io_copy(threadArg->sync_fd, srcfds.get(), writers.get(), channels.get(), len); -+ return NULL; -+} -+ -+int start_vsock_io_copy(const char *exec_id, int sync_fd, bool detach, const char *fifoin, const char *fifoout, const char *fifoerr, -+ int stdin_fd, struct io_write_wrapper *stdout_handler, struct io_write_wrapper *stderr_handler, -+ const char *vsocks[], pthread_t *tid) -+{ -+ if (sync_fd < 0 || vsocks == NULL || tid == NULL) { -+ ERROR("Invalid NULL arguments"); -+ return -1; -+ } -+ -+ struct IOCopyThreadArgs *args = new IOCopyThreadArgs(); -+ args->sync_fd = sync_fd; -+ args->detach = detach; -+ if (exec_id != NULL) { -+ args->exec_id = exec_id; -+ } -+ -+ PrepareIOCopyCollection(fifoin, fifoout, fifoerr, stdin_fd, stdout_handler, stderr_handler, vsocks, args->ioCollection); -+ -+ int ret = pthread_create(tid, NULL, IOCopyThread, (void *)args); -+ if (ret != 0) { -+ CRIT("Thread creation failed"); -+ delete args; -+ } -+ -+ return ret; -+} -diff --git a/src/daemon/modules/service/vsock_io_handler.h b/src/daemon/modules/service/vsock_io_handler.h -new file mode 100644 -index 00000000..cc0c1dd0 ---- /dev/null -+++ b/src/daemon/modules/service/vsock_io_handler.h -@@ -0,0 +1,46 @@ -+/****************************************************************************** -+ * Copyright (c) Huawei Technologies Co., Ltd. 2023. All rights reserved. -+ * iSulad licensed under the Mulan PSL v2. -+ * You can use this software according to the terms and conditions of the Mulan PSL v2. -+ * You may obtain a copy of Mulan PSL v2 at: -+ * http://license.coscl.org.cn/MulanPSL2 -+ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR -+ * PURPOSE. -+ * See the Mulan PSL v2 for more details. -+ * Author: xuxuepeng -+ * Create: 2023-09-04 -+ * Description: provide vsock io functions -+ ********************************************************************************/ -+ -+#ifndef DAEMON_MODULES_SERVICE_VSOCK_IO_H -+#define DAEMON_MODULES_SERVICE_VSOCK_IO_H -+ -+#include -+#include -+ -+#ifdef __cplusplus -+extern "C" -+{ -+#endif -+ -+bool is_vsock_path(const char *path); -+ -+bool parse_vsock_path(const char *vsock_path, uint32_t *cid, uint32_t *port); -+ -+int vsock_open(const char *vsock_path, int *fdout, int flags); -+ -+int create_daemon_vsockpaths(const char *sandbox_id, uint32_t cid, bool attach_stdin, bool attach_stdout, -+ bool attach_stderr, char *vsockpaths[]); -+ -+void delete_daemon_vsockpaths(const char *sandbox_id, const char *vsockpaths[]); -+ -+int start_vsock_io_copy(const char *exec_id, int sync_fd, bool detach, const char *fifoin, const char *fifoout, const char *fifoerr, -+ int stdin_fd, struct io_write_wrapper *stdout_handler, struct io_write_wrapper *stderr_handler, -+ const char *vsocks[], pthread_t *tid); -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif // DAEMON_MODULES_SERVICE_VSOCK_IO_H -diff --git a/src/daemon/sandbox/sandbox.cc b/src/daemon/sandbox/sandbox.cc -index 968dae24..94c2684a 100644 ---- a/src/daemon/sandbox/sandbox.cc -+++ b/src/daemon/sandbox/sandbox.cc -@@ -43,6 +43,8 @@ - namespace sandbox { - - const std::string SHM_MOUNT_POINT = "/dev/shm"; -+const uint32_t VSOCK_START_PORT = 2000; -+const uint32_t VSOCK_END_PORT = 65535; - - static int WriteDefaultSandboxHosts(const std::string &path, const std::string &hostname) - { -@@ -1014,6 +1016,25 @@ void Sandbox::SetNetworkSettings(const std::string &settings, Errors &error) - } - } - -+auto Sandbox::FindAvailableVsockPort(uint32_t &port) -> bool -+{ -+ std::unique_lock lock(m_vsockPortsMutex); -+ for (uint32_t i = VSOCK_START_PORT; i < VSOCK_END_PORT; i++) { -+ if (m_vsockPorts.find(i) == m_vsockPorts.end()) { -+ m_vsockPorts.insert(i); -+ port = i; -+ return true; -+ } -+ } -+ return false; -+} -+ -+void Sandbox::ReleaseVsockPort(uint32_t port) -+{ -+ std::unique_lock lock(m_vsockPortsMutex); -+ m_vsockPorts.erase(port); -+} -+ - auto Sandbox::GetTaskAddress() const -> const std::string & - { - return m_taskAddress; -diff --git a/src/daemon/sandbox/sandbox.h b/src/daemon/sandbox/sandbox.h -index 6ae2750f..0f135e70 100644 ---- a/src/daemon/sandbox/sandbox.h -+++ b/src/daemon/sandbox/sandbox.h -@@ -117,6 +117,8 @@ public: - auto UpdateStatsInfo(const StatsInfo &info) -> StatsInfo; - void SetNetworkReady(bool ready); - void SetNetworkMode(const std::string &networkMode); -+ auto FindAvailableVsockPort(uint32_t &port) -> bool; -+ void ReleaseVsockPort(uint32_t port); - auto CleanupSandboxFiles(Errors &error) -> bool; - - // Save to file -@@ -205,6 +207,10 @@ private: - - // it should select accroding to the config - std::shared_ptr m_controller { nullptr }; -+ -+ // vsock ports -+ std::mutex m_vsockPortsMutex; -+ std::set m_vsockPorts; - }; - - } // namespace sandbox --- -2.25.1 - diff --git a/0009-2243-Refactor-capbilities-specs.patch b/0009-2243-Refactor-capbilities-specs.patch new file mode 100644 index 0000000..116a30f --- /dev/null +++ b/0009-2243-Refactor-capbilities-specs.patch @@ -0,0 +1,1056 @@ +From e84112fd7128e05a1a4a380d8242c672d1f539f9 Mon Sep 17 00:00:00 2001 +From: xuxuepeng +Date: Mon, 13 Nov 2023 08:44:15 +0000 +Subject: [PATCH 09/14] !2243 Refactor capbilities specs * Refactor capbilities + specs + +--- + src/cmd/isula/isula_host_spec.c | 1 + + src/daemon/modules/spec/specs.c | 12 +- + src/daemon/modules/spec/specs_security.c | 140 ++++---- + src/utils/cutils/utils_cap.c | 119 +++++++ + src/utils/cutils/utils_cap.h | 39 +++ + src/utils/cutils/utils_verify.c | 81 ----- + src/utils/cutils/utils_verify.h | 6 - + test/cutils/utils_verify/utils_verify_ut.cc | 14 - + .../image/oci/oci_config_merge/CMakeLists.txt | 1 + + test/image/oci/storage/images/CMakeLists.txt | 1 + + test/specs/specs/CMakeLists.txt | 1 + + test/specs/specs/oci_runtime_spec.json | 32 ++ + test/specs/specs/specs_ut.cc | 315 ++++++++++++++++++ + test/specs/specs_extend/CMakeLists.txt | 1 + + 14 files changed, 573 insertions(+), 190 deletions(-) + create mode 100644 src/utils/cutils/utils_cap.c + create mode 100644 src/utils/cutils/utils_cap.h + +diff --git a/src/cmd/isula/isula_host_spec.c b/src/cmd/isula/isula_host_spec.c +index 6f39588d..09dea271 100644 +--- a/src/cmd/isula/isula_host_spec.c ++++ b/src/cmd/isula/isula_host_spec.c +@@ -36,6 +36,7 @@ + #include "utils_file.h" + #include "utils_string.h" + #include "utils_verify.h" ++#include "utils_cap.h" + #include "opt_ulimit.h" + + static bool parse_restart_policy(const char *policy, host_config_restart_policy **rp) +diff --git a/src/daemon/modules/spec/specs.c b/src/daemon/modules/spec/specs.c +index 95346603..cc49d85f 100644 +--- a/src/daemon/modules/spec/specs.c ++++ b/src/daemon/modules/spec/specs.c +@@ -49,6 +49,7 @@ + #include "utils_file.h" + #include "utils_string.h" + #include "utils_verify.h" ++#include "utils_cap.h" + + #ifndef CLONE_NEWUTS + #define CLONE_NEWUTS 0x04000000 +@@ -814,15 +815,16 @@ static int adapt_settings_for_privileged(oci_runtime_spec *oci_spec, bool privil + { + int ret = 0; + size_t all_caps_len = 0; ++ const char **all_caps = NULL; + + if (!privileged) { + return 0; + } + +- all_caps_len = util_get_all_caps_len(); +- if (oci_spec == NULL) { +- ret = -1; +- goto out; ++ all_caps = util_get_all_caps(&all_caps_len); ++ if (all_caps == NULL) { ++ ERROR("Failed to get all capabilities"); ++ return -1; + } + + clean_correlated_items(oci_spec); +@@ -838,7 +840,7 @@ static int adapt_settings_for_privileged(oci_runtime_spec *oci_spec, bool privil + goto out; + } + +- ret = refill_oci_process_capabilities(&oci_spec->process->capabilities, g_all_caps, all_caps_len); ++ ret = refill_oci_process_capabilities(&oci_spec->process->capabilities, all_caps, all_caps_len); + if (ret != 0) { + ERROR("Failed to copy all capabilities"); + ret = -1; +diff --git a/src/daemon/modules/spec/specs_security.c b/src/daemon/modules/spec/specs_security.c +index e78cc744..b34aec7c 100644 +--- a/src/daemon/modules/spec/specs_security.c ++++ b/src/daemon/modules/spec/specs_security.c +@@ -37,6 +37,7 @@ + #include "utils_array.h" + #include "utils_string.h" + #include "utils_verify.h" ++#include "utils_cap.h" + + #define MAX_CAP_LEN 32 + +@@ -104,41 +105,31 @@ static int tweak_drops_capabilities(char ***new_caps, size_t *new_caps_len, char + size_t i = 0; + int ret = 0; + +- if (util_strings_in_slice((const char **)drops, drops_len, "all")) { +- goto out; ++ if (basic_caps == NULL || basic_caps_len == 0) { ++ *new_caps = NULL; ++ *new_caps_len = 0; ++ return 0; + } + +- for (i = 0; (basic_caps != NULL && i < basic_caps_len); i++) { +- // skip `all` already handled above +- if (!basic_caps[i] || !strcasecmp(basic_caps[i], "all")) { +- continue; +- } +- +- // if we don't drop `all`, add back all the non-dropped caps ++ for (i = 0; i < basic_caps_len; i++) { + if (!util_strings_in_slice((const char **)drops, drops_len, basic_caps[i] + strlen("CAP_"))) { + ret = append_capability(new_caps, new_caps_len, basic_caps[i]); + if (ret != 0) { + ERROR("Failed to append capabilities"); +- ret = -1; +- goto out; ++ return -1; + } + } + } + +-out: +- return ret; ++ return 0; + } + + static int tweak_adds_capabilities(char ***new_caps, size_t *new_caps_len, const char **adds, size_t adds_len) + { + size_t i = 0; +- int ret = 0; + int nret = 0; +- size_t all_caps_len = 0; + char tmpcap[MAX_CAP_LEN] = { 0 }; + +- all_caps_len = util_get_all_caps_len(); +- + for (i = 0; i < adds_len; i++) { + // skip `all` already handled above + if (strcasecmp(adds[i], "all") == 0) { +@@ -148,111 +139,92 @@ static int tweak_adds_capabilities(char ***new_caps, size_t *new_caps_len, const + nret = snprintf(tmpcap, sizeof(tmpcap), "CAP_%s", adds[i]); + if (nret < 0 || (size_t)nret >= sizeof(tmpcap)) { + ERROR("Failed to print string"); +- ret = -1; +- goto out; +- } +- if (!util_strings_in_slice(g_all_caps, all_caps_len, tmpcap)) { +- ERROR("Unknown capability to add: '%s'", tmpcap); +- ret = -1; +- goto out; ++ return -1; + } + + // add cap if not already in the list + if (!util_strings_in_slice((const char **)*new_caps, *new_caps_len, tmpcap)) { +- ret = append_capability(new_caps, new_caps_len, tmpcap); +- if (ret != 0) { ++ nret = append_capability(new_caps, new_caps_len, tmpcap); ++ if (nret != 0) { + ERROR("Failed to append capabilities"); +- ret = -1; +- goto out; ++ return -1; + } + } + } + +-out: +- return ret; +-} +- +-static bool valid_drops_cap(const char **drops, size_t drops_len) +-{ +- int nret = 0; +- size_t i; +- size_t all_caps_len = 0; +- char tmpcap[MAX_CAP_LEN] = { 0 }; +- +- all_caps_len = util_get_all_caps_len(); +- // look for invalid cap in the drop list +- for (i = 0; i < drops_len; i++) { +- if (strcasecmp(drops[i], "all") == 0) { +- continue; +- } +- +- nret = snprintf(tmpcap, sizeof(tmpcap), "CAP_%s", drops[i]); +- if (nret < 0 || (size_t)nret >= sizeof(tmpcap)) { +- ERROR("Failed to print string"); +- return false; +- } +- if (!util_strings_in_slice(g_all_caps, all_caps_len, tmpcap)) { +- ERROR("Unknown capability to drop: '%s'", drops[i]); +- return false; +- } +- } +- +- return true; ++ return 0; + } + + // tweak_capabilities can tweak capabilities by adding or dropping capabilities +-// based on the basic capabilities. ++// based on the basic capabilities. The following are the priorities of the tweaks: ++// 1. if adds contains "all", then the basic capabilities will be ignored, and all capabilities will be added. ++// 2. if drops contains "all", all capabilities will be dropped. ++// 3. add individual capabilities in adds ++// 4. drop individual capabilities in drops. ++// The reason why we handle "all" first is that we can avoid the case that the individual capabilities are ++// not included by "all". + static int tweak_capabilities(char ***caps, size_t *caps_len, const char **adds, size_t adds_len, const char **drops, + size_t drops_len) + { +- size_t i; +- size_t all_caps_len = 0; + int ret = 0; + char **new_caps = NULL; + char **basic_caps = NULL; ++ const char **all_caps = NULL; + size_t new_caps_len = 0; + size_t basic_caps_len = 0; ++ size_t all_caps_len = 0; ++ bool add_all = false; ++ bool drop_all = false; + +- all_caps_len = util_get_all_caps_len(); +- if (!valid_drops_cap(drops, drops_len)) { ++ all_caps = util_get_all_caps(&all_caps_len); ++ if (all_caps == NULL) { ++ ERROR("Failed to get all capabilities"); + return -1; + } + +- if (util_strings_in_slice((const char **)adds, adds_len, "all")) { +- ret = copy_capabilities(&basic_caps, &basic_caps_len, g_all_caps, all_caps_len); +- } else { ++ add_all = util_strings_in_slice((const char **)adds, adds_len, "all"); ++ drop_all = util_strings_in_slice((const char **)drops, drops_len, "all"); ++ ++ ++ if (!add_all && !drop_all) { ++ // if neither add_all nor drop_all, we start with the default capabilities + ret = copy_capabilities(&basic_caps, &basic_caps_len, (const char **)*caps, *caps_len); +- } +- if (ret != 0) { +- ERROR("Failed to copy capabilities"); +- ret = -1; +- goto free_out; ++ if (ret != 0) { ++ ERROR("Failed to copy capabilities"); ++ ret = -1; ++ goto free_out; ++ } ++ } else if (drop_all) { ++ // if drop_all, we start with an empty set ++ basic_caps = NULL; ++ basic_caps_len = 0; ++ } else { ++ // if not drop_all but add_all, we start with all capabilities ++ ret = copy_capabilities(&basic_caps, &basic_caps_len, all_caps, all_caps_len); ++ if (ret != 0) { ++ ERROR("Failed to copy all capabilities"); ++ ret = -1; ++ goto free_out; ++ } + } + +- ret = tweak_drops_capabilities(&new_caps, &new_caps_len, basic_caps, basic_caps_len, drops, drops_len); ++ // Add capabilities to the basic capabilities ++ ret = tweak_adds_capabilities(&basic_caps, &basic_caps_len, adds, adds_len); + if (ret != 0) { + ret = -1; + goto free_out; + } + +- ret = tweak_adds_capabilities(&new_caps, &new_caps_len, adds, adds_len); ++ // Drop capabilities from the basic capabilities ++ ret = tweak_drops_capabilities(&new_caps, &new_caps_len, basic_caps, basic_caps_len, drops, drops_len); + if (ret != 0) { + ret = -1; + goto free_out; + } + + free_out: +- for (i = 0; i < basic_caps_len; i++) { +- free(basic_caps[i]); +- } +- free(basic_caps); +- +- // free old caps +- for (i = 0; i < *caps_len; i++) { +- free((*caps)[i]); +- (*caps)[i] = NULL; +- } +- free(*caps); ++ util_free_array_by_len(basic_caps, basic_caps_len); ++ util_free_array_by_len(*caps, *caps_len); + + // set new caps + *caps = new_caps; +diff --git a/src/utils/cutils/utils_cap.c b/src/utils/cutils/utils_cap.c +new file mode 100644 +index 00000000..6473df45 +--- /dev/null ++++ b/src/utils/cutils/utils_cap.c +@@ -0,0 +1,119 @@ ++/****************************************************************************** ++ * Copyright (c) Huawei Technologies Co., Ltd. 2018-2022. All rights reserved. ++ * iSulad licensed under the Mulan PSL v2. ++ * You can use this software according to the terms and conditions of the Mulan PSL v2. ++ * You may obtain a copy of Mulan PSL v2 at: ++ * http://license.coscl.org.cn/MulanPSL2 ++ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR ++ * PURPOSE. ++ * See the Mulan PSL v2 for more details. ++ * Author: xuxuepeng ++ * Create: 2023-11-08 ++ * Description: provide capbilities utils functions ++ *******************************************************************************/ ++ ++#define _GNU_SOURCE ++ ++#include "utils_cap.h" ++ ++#include ++#include ++#include ++ ++#include "utils_string.h" ++ ++const char *g_all_caps[] = { ++ "CAP_CHOWN", ++ "CAP_DAC_OVERRIDE", ++ "CAP_DAC_READ_SEARCH", ++ "CAP_FOWNER", ++ "CAP_FSETID", ++ "CAP_KILL", ++ "CAP_SETGID", ++ "CAP_SETUID", ++ "CAP_SETPCAP", ++ "CAP_LINUX_IMMUTABLE", ++ "CAP_NET_BIND_SERVICE", ++ "CAP_NET_BROADCAST", ++ "CAP_NET_ADMIN", ++ "CAP_NET_RAW", ++ "CAP_IPC_LOCK", ++ "CAP_IPC_OWNER", ++ "CAP_SYS_MODULE", ++ "CAP_SYS_RAWIO", ++ "CAP_SYS_CHROOT", ++ "CAP_SYS_PTRACE", ++ "CAP_SYS_PACCT", ++ "CAP_SYS_ADMIN", ++ "CAP_SYS_BOOT", ++ "CAP_SYS_NICE", ++ "CAP_SYS_RESOURCE", ++ "CAP_SYS_TIME", ++ "CAP_SYS_TTY_CONFIG", ++ "CAP_MKNOD", ++ "CAP_LEASE", ++#ifdef CAP_AUDIT_WRITE ++ "CAP_AUDIT_WRITE", ++#endif ++#ifdef CAP_AUDIT_CONTROL ++ "CAP_AUDIT_CONTROL", ++#endif ++ "CAP_SETFCAP", ++ "CAP_MAC_OVERRIDE", ++ "CAP_MAC_ADMIN", ++#ifdef CAP_SYSLOG ++ "CAP_SYSLOG", ++#endif ++#ifdef CAP_WAKE_ALARM ++ "CAP_WAKE_ALARM", ++#endif ++#ifdef CAP_BLOCK_SUSPEND ++ "CAP_BLOCK_SUSPEND", ++#endif ++#ifdef CAP_AUDIT_READ ++ "CAP_AUDIT_READ", ++#endif ++#ifdef CAP_PERFMON ++ "CAP_PERFMON", ++#endif ++#ifdef CAP_BPF ++ "CAP_BPF", ++#endif ++#ifdef CAP_CHECKPOINT_RESTORE ++ "CAP_CHECKPOINT_RESTORE", ++#endif ++}; ++ ++static inline size_t util_get_all_caps_len() ++{ ++ return sizeof(g_all_caps) / sizeof(char *); ++} ++ ++bool util_valid_cap(const char *cap) ++{ ++ int nret = 0; ++ char tmpcap[32] = { 0 }; ++ size_t all_caps_len = util_get_all_caps_len(); ++ ++ if (cap == NULL) { ++ return false; ++ } ++ ++ nret = snprintf(tmpcap, sizeof(tmpcap), "CAP_%s", cap); ++ if (nret < 0 || (size_t)nret >= sizeof(tmpcap)) { ++ ERROR("Failed to print string"); ++ return false; ++ } ++ if (!util_strings_in_slice(g_all_caps, all_caps_len, tmpcap)) { ++ return false; ++ } ++ ++ return true; ++} ++ ++const char **util_get_all_caps(size_t *cap_len) ++{ ++ *cap_len = util_get_all_caps_len(); ++ return g_all_caps; ++} +diff --git a/src/utils/cutils/utils_cap.h b/src/utils/cutils/utils_cap.h +new file mode 100644 +index 00000000..de63d070 +--- /dev/null ++++ b/src/utils/cutils/utils_cap.h +@@ -0,0 +1,39 @@ ++/****************************************************************************** ++ * Copyright (c) Huawei Technologies Co., Ltd. 2018-2022. All rights reserved. ++ * iSulad licensed under the Mulan PSL v2. ++ * You can use this software according to the terms and conditions of the Mulan PSL v2. ++ * You may obtain a copy of Mulan PSL v2 at: ++ * http://license.coscl.org.cn/MulanPSL2 ++ * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR ++ * PURPOSE. ++ * See the Mulan PSL v2 for more details. ++ * Author: xuxuepeng ++ * Create: 2023-11-08 ++ * Description: provide capbilities utils functions ++ *******************************************************************************/ ++ ++#ifndef UTILS_CUTILS_UTILS_CAP_H ++#define UTILS_CUTILS_UTILS_CAP_H ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++#include ++#include ++#include ++ ++bool util_valid_cap(const char *cap); ++ ++/** ++ * Get all supported capabilities for linux, ++ * note that the returned strings are unmutable ++ */ ++const char **util_get_all_caps(size_t *cap_len); ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif // UTILS_CUTILS_UTILS_CAP_H +diff --git a/src/utils/cutils/utils_verify.c b/src/utils/cutils/utils_verify.c +index 2f10f278..f4ce3199 100644 +--- a/src/utils/cutils/utils_verify.c ++++ b/src/utils/cutils/utils_verify.c +@@ -22,7 +22,6 @@ + #include + #include + #include +-#include + #include + #include + +@@ -32,59 +31,6 @@ + #include "utils_array.h" + #include "utils_string.h" + +-const char *g_all_caps[] = { +- "CAP_CHOWN", +- "CAP_DAC_OVERRIDE", +- "CAP_DAC_READ_SEARCH", +- "CAP_FOWNER", +- "CAP_FSETID", +- "CAP_KILL", +- "CAP_SETGID", +- "CAP_SETUID", +- "CAP_SETPCAP", +- "CAP_LINUX_IMMUTABLE", +- "CAP_NET_BIND_SERVICE", +- "CAP_NET_BROADCAST", +- "CAP_NET_ADMIN", +- "CAP_NET_RAW", +- "CAP_IPC_LOCK", +- "CAP_IPC_OWNER", +- "CAP_SYS_MODULE", +- "CAP_SYS_RAWIO", +- "CAP_SYS_CHROOT", +- "CAP_SYS_PTRACE", +- "CAP_SYS_PACCT", +- "CAP_SYS_ADMIN", +- "CAP_SYS_BOOT", +- "CAP_SYS_NICE", +- "CAP_SYS_RESOURCE", +- "CAP_SYS_TIME", +- "CAP_SYS_TTY_CONFIG", +- "CAP_MKNOD", +- "CAP_LEASE", +-#ifdef CAP_AUDIT_WRITE +- "CAP_AUDIT_WRITE", +-#endif +-#ifdef CAP_AUDIT_CONTROL +- "CAP_AUDIT_CONTROL", +-#endif +- "CAP_SETFCAP", +- "CAP_MAC_OVERRIDE", +- "CAP_MAC_ADMIN", +-#ifdef CAP_SYSLOG +- "CAP_SYSLOG", +-#endif +-#ifdef CAP_WAKE_ALARM +- "CAP_WAKE_ALARM", +-#endif +-#ifdef CAP_BLOCK_SUSPEND +- "CAP_BLOCK_SUSPEND", +-#endif +-#ifdef CAP_AUDIT_READ +- "CAP_AUDIT_READ", +-#endif +-}; +- + bool util_valid_cmd_arg(const char *arg) + { + return (arg != NULL) && (strchr(arg, '|') == NULL) && (strchr(arg, '`') == NULL) && (strchr(arg, '&')) == NULL && +@@ -215,33 +161,6 @@ bool util_valid_str(const char *str) + return (str != NULL && str[0] != '\0') ? true : false; + } + +-size_t util_get_all_caps_len() +-{ +- return sizeof(g_all_caps) / sizeof(char *); +-} +- +-bool util_valid_cap(const char *cap) +-{ +- int nret = 0; +- char tmpcap[32] = { 0 }; +- size_t all_caps_len = util_get_all_caps_len(); +- +- if (cap == NULL) { +- return false; +- } +- +- nret = snprintf(tmpcap, sizeof(tmpcap), "CAP_%s", cap); +- if (nret < 0 || (size_t)nret >= sizeof(tmpcap)) { +- ERROR("Failed to print string"); +- return false; +- } +- if (!util_strings_in_slice(g_all_caps, all_caps_len, tmpcap)) { +- return false; +- } +- +- return true; +-} +- + bool util_valid_container_id(const char *id) + { + char *patten = "^[a-f0-9]{1,64}$"; +diff --git a/src/utils/cutils/utils_verify.h b/src/utils/cutils/utils_verify.h +index ad4466ef..54d1ce71 100644 +--- a/src/utils/cutils/utils_verify.h ++++ b/src/utils/cutils/utils_verify.h +@@ -38,8 +38,6 @@ extern "C" { + + #define VALID_VOLUME_NAME "[a-zA-Z0-9][a-zA-Z0-9_.-]{1,63}" + +-extern const char *g_all_caps[]; +- + bool util_valid_cmd_arg(const char *arg); + + bool util_valid_signal(int sig); +@@ -54,10 +52,6 @@ bool util_valid_device_mode(const char *mode); + + bool util_valid_str(const char *str); + +-size_t util_get_all_caps_len(); +- +-bool util_valid_cap(const char *cap); +- + bool util_valid_time_tz(const char *time); + + bool util_valid_embedded_image_name(const char *name); +diff --git a/test/cutils/utils_verify/utils_verify_ut.cc b/test/cutils/utils_verify/utils_verify_ut.cc +index 99775d09..79670ec1 100644 +--- a/test/cutils/utils_verify/utils_verify_ut.cc ++++ b/test/cutils/utils_verify/utils_verify_ut.cc +@@ -98,20 +98,6 @@ TEST(utils_verify, test_util_valid_str) + ASSERT_EQ(util_valid_str(nullptr), false); + } + +-TEST(utils_verify, test_util_get_all_caps_len) +-{ +- ASSERT_NE(util_get_all_caps_len(), 0); +-} +- +-TEST(utils_verify, test_util_valid_cap) +-{ +- ASSERT_EQ(util_valid_cap("DAC_READ_SEARCH"), true); +- +- ASSERT_EQ(util_valid_cap(nullptr), false); +- ASSERT_EQ(util_valid_cap(""), false); +- ASSERT_EQ(util_valid_cap("DA_READ_SEARCH"), false); +-} +- + TEST(utils_verify, test_util_valid_time_tz) + { + ASSERT_EQ(util_valid_time_tz("2022-10-04T18:22:45.289257759Z"), true); +diff --git a/test/image/oci/oci_config_merge/CMakeLists.txt b/test/image/oci/oci_config_merge/CMakeLists.txt +index ce4df5ba..90809080 100644 +--- a/test/image/oci/oci_config_merge/CMakeLists.txt ++++ b/test/image/oci/oci_config_merge/CMakeLists.txt +@@ -14,6 +14,7 @@ add_executable(${EXE} + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/utils/cutils/utils_file.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/utils/cutils/utils_timestamp.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/utils/cutils/utils_fs.c ++ ${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/utils/cutils/utils_cap.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/utils/cutils/map/map.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/utils/cutils/map/rb_tree.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../src/utils/cutils/util_atomic.c +diff --git a/test/image/oci/storage/images/CMakeLists.txt b/test/image/oci/storage/images/CMakeLists.txt +index 8446ebba..28e0b505 100644 +--- a/test/image/oci/storage/images/CMakeLists.txt ++++ b/test/image/oci/storage/images/CMakeLists.txt +@@ -11,6 +11,7 @@ add_executable(${EXE} + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../../src/utils/cutils/utils_convert.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../../src/utils/cutils/utils_file.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../../src/utils/cutils/utils_base64.c ++ ${CMAKE_CURRENT_SOURCE_DIR}/../../../../../src/utils/cutils/utils_cap.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../../src/utils/cutils/util_atomic.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../../src/utils/sha256/sha256.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../../src/utils/cutils/path.c +diff --git a/test/specs/specs/CMakeLists.txt b/test/specs/specs/CMakeLists.txt +index 1d627e37..a9dbc52c 100644 +--- a/test/specs/specs/CMakeLists.txt ++++ b/test/specs/specs/CMakeLists.txt +@@ -14,6 +14,7 @@ add_executable(${EXE} + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/utils/cutils/util_atomic.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/utils/cutils/utils_mount_spec.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/utils/cutils/utils_fs.c ++ ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/utils/cutils/utils_cap.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/utils/sha256/sha256.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/utils/cutils/path.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/utils/cutils/map/map.c +diff --git a/test/specs/specs/oci_runtime_spec.json b/test/specs/specs/oci_runtime_spec.json +index 0223fd6f..efd5da35 100644 +--- a/test/specs/specs/oci_runtime_spec.json ++++ b/test/specs/specs/oci_runtime_spec.json +@@ -154,6 +154,38 @@ + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE" ++ ], ++ "effective": [ ++ "CAP_CHOWN", ++ "CAP_DAC_OVERRIDE", ++ "CAP_FSETID", ++ "CAP_FOWNER", ++ "CAP_MKNOD", ++ "CAP_NET_RAW", ++ "CAP_SETGID", ++ "CAP_SETUID", ++ "CAP_SETFCAP", ++ "CAP_SETPCAP", ++ "CAP_NET_BIND_SERVICE", ++ "CAP_SYS_CHROOT", ++ "CAP_KILL", ++ "CAP_AUDIT_WRITE" ++ ], ++ "permitted": [ ++ "CAP_CHOWN", ++ "CAP_DAC_OVERRIDE", ++ "CAP_FSETID", ++ "CAP_FOWNER", ++ "CAP_MKNOD", ++ "CAP_NET_RAW", ++ "CAP_SETGID", ++ "CAP_SETUID", ++ "CAP_SETFCAP", ++ "CAP_SETPCAP", ++ "CAP_NET_BIND_SERVICE", ++ "CAP_SYS_CHROOT", ++ "CAP_KILL", ++ "CAP_AUDIT_WRITE" + ] + } + }, +diff --git a/test/specs/specs/specs_ut.cc b/test/specs/specs/specs_ut.cc +index 96aa1c63..ad903a3f 100644 +--- a/test/specs/specs/specs_ut.cc ++++ b/test/specs/specs/specs_ut.cc +@@ -20,6 +20,7 @@ + #include "isula_libutils/oci_runtime_spec.h" + #include "specs_api.h" + #include "specs_namespace.h" ++#include "specs_security.h" + #include "isula_libutils/host_config.h" + #include "isula_libutils/container_config.h" + #include "oci_ut_common.h" +@@ -27,6 +28,7 @@ + #include + #include "isulad_config_mock.h" + #include "utils.h" ++#include "utils_cap.h" + + using ::testing::Args; + using ::testing::ByRef; +@@ -344,3 +346,316 @@ TEST_F(SpecsUnitTest, test_merge_container_cgroups_path_5) + + testing::Mock::VerifyAndClearExpectations(&m_isulad_conf); + } ++ ++/********************************* UT for merge caps *******************************************/ ++struct capabilities_lens { ++ size_t bounding_len; ++ size_t effective_len; ++ size_t inheritable_len; ++ size_t permitted_len; ++ size_t ambient_len; ++}; ++ ++void check_capabilities_len(defs_process_capabilities *cap, struct capabilities_lens *lens) ++{ ++ lens->bounding_len = cap->bounding_len; ++ lens->effective_len = cap->effective_len; ++ lens->inheritable_len = cap->inheritable_len; ++ lens->permitted_len = cap->permitted_len; ++ lens->ambient_len = cap->ambient_len; ++} ++ ++void validate_capabilities_len(defs_process_capabilities *cap, struct capabilities_lens *lens, ssize_t len_diff) ++{ ++ ASSERT_EQ((ssize_t)cap->bounding_len, (ssize_t)lens->bounding_len + len_diff); ++ ASSERT_EQ((ssize_t)cap->effective_len, (ssize_t)lens->effective_len + len_diff); ++ ASSERT_EQ((ssize_t)cap->permitted_len, (ssize_t)lens->permitted_len + len_diff); ++ // Currently we don't support inheritable and ambient capabilities ++} ++ ++TEST(merge_capability_ut, test_merge_caps_without_adds_drops) ++{ ++ oci_runtime_spec *oci_spec = nullptr; ++ int ret = 0; ++ char *err = nullptr; ++ struct capabilities_lens old_lens = { 0 }; ++ char *oci_config_file = nullptr; ++ ++ oci_config_file = json_path(OCI_RUNTIME_SPEC_FILE); ++ ASSERT_TRUE(oci_config_file != nullptr); ++ ++ ++ oci_spec = oci_runtime_spec_parse_file(oci_config_file, nullptr, &err); ++ ASSERT_TRUE(oci_spec != nullptr); ++ free(err); ++ ++ check_capabilities_len(oci_spec->process->capabilities, &old_lens); ++ ++ ret = merge_caps(oci_spec, nullptr, 0, nullptr, 0); ++ ASSERT_EQ(ret, 0); ++ ++ validate_capabilities_len(oci_spec->process->capabilities, &old_lens, 0); ++ ++ free_oci_runtime_spec(oci_spec); ++} ++ ++TEST(merge_capability_ut, test_merge_caps_adds_without_drops) ++{ ++ oci_runtime_spec *oci_spec = nullptr; ++ int ret = 0; ++ char *err = nullptr; ++ struct capabilities_lens old_lens = { 0 }; ++ char *oci_config_file = nullptr; ++ /* All of below capabilities are not in oci_config_file */ ++ const char *adds[] = { "NET_ADMIN", "SYS_ADMIN", "SYS_TTY_CONFIG", "SYS_PTRACE" }; ++ const char *drops[] = {}; ++ size_t adds_len = sizeof(adds) / sizeof(adds[0]); ++ size_t drops_len = sizeof(drops) / sizeof(drops[0]); ++ ++ oci_config_file = json_path(OCI_RUNTIME_SPEC_FILE); ++ ASSERT_TRUE(oci_config_file != nullptr); ++ ++ ++ oci_spec = oci_runtime_spec_parse_file(oci_config_file, nullptr, &err); ++ ASSERT_TRUE(oci_spec != nullptr); ++ free(err); ++ ++ check_capabilities_len(oci_spec->process->capabilities, &old_lens); ++ ++ ret = merge_caps(oci_spec, adds, adds_len, drops, drops_len); ++ ASSERT_EQ(ret, 0); ++ ++ /* All of capabilities in adds are added */ ++ validate_capabilities_len(oci_spec->process->capabilities, &old_lens, adds_len); ++ ++ free_oci_runtime_spec(oci_spec); ++} ++ ++TEST(merge_capability_ut, test_merge_caps_adds_existing_without_drops) ++{ ++ oci_runtime_spec *oci_spec = nullptr; ++ int ret = 0; ++ char *err = nullptr; ++ struct capabilities_lens old_lens = { 0 }; ++ char *oci_config_file = nullptr; ++ /* CHOWN already exits in oci_config_file */ ++ const char *adds[] = { "CHOWN", "SYS_ADMIN", "SYS_TTY_CONFIG", "SYS_PTRACE" }; ++ const char *drops[] = {}; ++ size_t adds_len = sizeof(adds) / sizeof(adds[0]); ++ size_t drops_len = sizeof(drops) / sizeof(drops[0]); ++ ++ oci_config_file = json_path(OCI_RUNTIME_SPEC_FILE); ++ ASSERT_TRUE(oci_config_file != nullptr); ++ ++ ++ oci_spec = oci_runtime_spec_parse_file(oci_config_file, nullptr, &err); ++ ASSERT_TRUE(oci_spec != nullptr); ++ free(err); ++ ++ check_capabilities_len(oci_spec->process->capabilities, &old_lens); ++ ++ ret = merge_caps(oci_spec, adds, adds_len, drops, drops_len); ++ ASSERT_EQ(ret, 0); ++ ++ /* CHOWN is not added, since it already exits in the default list */ ++ validate_capabilities_len(oci_spec->process->capabilities, &old_lens, adds_len - 1); ++ ++ free_oci_runtime_spec(oci_spec); ++} ++ ++TEST(merge_capability_ut, test_merge_caps_drops_without_adds) ++{ ++ oci_runtime_spec *oci_spec = nullptr; ++ int ret = 0; ++ char *err = nullptr; ++ struct capabilities_lens old_lens = { 0 }; ++ char *oci_config_file = nullptr; ++ const char *adds[] = {}; ++ /* Below capabilities are not in the oci_config_file */ ++ const char *drops[] = { "SYS_TTY_CONFIG", "SYS_PTRACE" }; ++ size_t adds_len = sizeof(adds) / sizeof(adds[0]); ++ size_t drops_len = sizeof(drops) / sizeof(drops[0]); ++ ++ oci_config_file = json_path(OCI_RUNTIME_SPEC_FILE); ++ ASSERT_TRUE(oci_config_file != nullptr); ++ ++ ++ oci_spec = oci_runtime_spec_parse_file(oci_config_file, nullptr, &err); ++ ASSERT_TRUE(oci_spec != nullptr); ++ free(err); ++ ++ check_capabilities_len(oci_spec->process->capabilities, &old_lens); ++ ++ ret = merge_caps(oci_spec, adds, adds_len, drops, drops_len); ++ ASSERT_EQ(ret, 0); ++ ++ /* Nothing dropped */ ++ validate_capabilities_len(oci_spec->process->capabilities, &old_lens, 0); ++ ++ free_oci_runtime_spec(oci_spec); ++} ++ ++TEST(merge_capability_ut, test_merge_caps_drops_existing_without_adds) ++{ ++ oci_runtime_spec *oci_spec = nullptr; ++ int ret = 0; ++ char *err = nullptr; ++ struct capabilities_lens old_lens = { 0 }; ++ char *oci_config_file = nullptr; ++ const char *adds[] = {}; ++ /* Below capabilities are in the oci_config_file */ ++ const char *drops[] = { "CHOWN", "MKNOD" }; ++ size_t adds_len = sizeof(adds) / sizeof(adds[0]); ++ size_t drops_len = sizeof(drops) / sizeof(drops[0]); ++ ++ oci_config_file = json_path(OCI_RUNTIME_SPEC_FILE); ++ ASSERT_TRUE(oci_config_file != nullptr); ++ ++ ++ oci_spec = oci_runtime_spec_parse_file(oci_config_file, nullptr, &err); ++ ASSERT_TRUE(oci_spec != nullptr); ++ free(err); ++ ++ check_capabilities_len(oci_spec->process->capabilities, &old_lens); ++ ++ ret = merge_caps(oci_spec, adds, adds_len, drops, drops_len); ++ ASSERT_EQ(ret, 0); ++ ++ /* All dropped */ ++ validate_capabilities_len(oci_spec->process->capabilities, &old_lens, adds_len - drops_len); ++ ++ free_oci_runtime_spec(oci_spec); ++} ++ ++TEST(merge_capability_ut, test_merge_caps_adds_drops) ++{ ++ oci_runtime_spec *oci_spec = nullptr; ++ int ret = 0; ++ char *err = nullptr; ++ struct capabilities_lens old_lens = { 0 }; ++ char *oci_config_file = nullptr; ++ /* All of below capabilities are not in oci_config_file */ ++ const char *adds[] = { "NET_ADMIN", "SYS_ADMIN", "SYS_TTY_CONFIG", "SYS_PTRACE" }; ++ const char *drops[] = { "SYS_TTY_CONFIG", "SYS_PTRACE" }; ++ size_t adds_len = sizeof(adds) / sizeof(adds[0]); ++ size_t drops_len = sizeof(drops) / sizeof(drops[0]); ++ ++ oci_config_file = json_path(OCI_RUNTIME_SPEC_FILE); ++ ASSERT_TRUE(oci_config_file != nullptr); ++ ++ ++ oci_spec = oci_runtime_spec_parse_file(oci_config_file, nullptr, &err); ++ ASSERT_TRUE(oci_spec != nullptr); ++ free(err); ++ ++ check_capabilities_len(oci_spec->process->capabilities, &old_lens); ++ ++ ret = merge_caps(oci_spec, adds, adds_len, drops, drops_len); ++ ASSERT_EQ(ret, 0); ++ ++ validate_capabilities_len(oci_spec->process->capabilities, &old_lens, adds_len - drops_len); ++ ++ free_oci_runtime_spec(oci_spec); ++} ++ ++TEST(merge_capability_ut, test_merge_caps_adds_all_without_drops) ++{ ++ oci_runtime_spec *oci_spec = nullptr; ++ int ret = 0; ++ char *err = nullptr; ++ struct capabilities_lens old_lens = { 0 }; ++ char *oci_config_file = nullptr; ++ /* NET_ADMIN is in all */ ++ const char *adds[] = { "ALL", "NET_ADMIN" }; ++ const char *drops[] = {}; ++ size_t adds_len = sizeof(adds) / sizeof(adds[0]); ++ size_t drops_len = sizeof(drops) / sizeof(drops[0]); ++ size_t all_caps_len = 0; ++ util_get_all_caps(&all_caps_len); ++ ++ oci_config_file = json_path(OCI_RUNTIME_SPEC_FILE); ++ ASSERT_TRUE(oci_config_file != nullptr); ++ ++ oci_spec = oci_runtime_spec_parse_file(oci_config_file, nullptr, &err); ++ ASSERT_TRUE(oci_spec != nullptr); ++ free(err); ++ ++ check_capabilities_len(oci_spec->process->capabilities, &old_lens); ++ ++ ret = merge_caps(oci_spec, adds, adds_len, drops, drops_len); ++ ASSERT_EQ(ret, 0); ++ ++ ASSERT_EQ(oci_spec->process->capabilities->bounding_len, all_caps_len); ++ ASSERT_EQ(oci_spec->process->capabilities->effective_len, all_caps_len); ++ ASSERT_EQ(oci_spec->process->capabilities->permitted_len, all_caps_len); ++ ++ free_oci_runtime_spec(oci_spec); ++} ++ ++TEST(merge_capability_ut, test_merge_caps_adds_all_and_extra_without_drops) ++{ ++ oci_runtime_spec *oci_spec = nullptr; ++ int ret = 0; ++ char *err = nullptr; ++ struct capabilities_lens old_lens = { 0 }; ++ char *oci_config_file = nullptr; ++ /* ABC is not in all */ ++ const char *adds[] = { "ALL", "ABC" }; ++ const char *drops[] = {}; ++ size_t adds_len = sizeof(adds) / sizeof(adds[0]); ++ size_t drops_len = sizeof(drops) / sizeof(drops[0]); ++ size_t all_caps_len = 0; ++ util_get_all_caps(&all_caps_len); ++ ++ oci_config_file = json_path(OCI_RUNTIME_SPEC_FILE); ++ ASSERT_TRUE(oci_config_file != nullptr); ++ ++ oci_spec = oci_runtime_spec_parse_file(oci_config_file, nullptr, &err); ++ ASSERT_TRUE(oci_spec != nullptr); ++ free(err); ++ ++ check_capabilities_len(oci_spec->process->capabilities, &old_lens); ++ ++ ret = merge_caps(oci_spec, adds, adds_len, drops, drops_len); ++ ASSERT_EQ(ret, 0); ++ ++ ASSERT_EQ(oci_spec->process->capabilities->bounding_len, all_caps_len + 1); ++ ASSERT_EQ(oci_spec->process->capabilities->effective_len, all_caps_len + 1); ++ ASSERT_EQ(oci_spec->process->capabilities->permitted_len, all_caps_len + 1); ++ ++ free_oci_runtime_spec(oci_spec); ++} ++ ++TEST(merge_capability_ut, test_merge_caps_adds_all_drops_all) ++{ ++ oci_runtime_spec *oci_spec = nullptr; ++ int ret = 0; ++ char *err = nullptr; ++ struct capabilities_lens old_lens = { 0 }; ++ char *oci_config_file = nullptr; ++ /* ABC, EFG is not in all */ ++ const char *adds[] = { "ALL", "ABC", "EFG"}; ++ const char *drops[] = { "ALL", "ABC" }; ++ size_t adds_len = sizeof(adds) / sizeof(adds[0]); ++ size_t drops_len = sizeof(drops) / sizeof(drops[0]); ++ size_t all_caps_len = 0; ++ util_get_all_caps(&all_caps_len); ++ ++ oci_config_file = json_path(OCI_RUNTIME_SPEC_FILE); ++ ASSERT_TRUE(oci_config_file != nullptr); ++ ++ oci_spec = oci_runtime_spec_parse_file(oci_config_file, nullptr, &err); ++ ASSERT_TRUE(oci_spec != nullptr); ++ free(err); ++ ++ check_capabilities_len(oci_spec->process->capabilities, &old_lens); ++ ++ ret = merge_caps(oci_spec, adds, adds_len, drops, drops_len); ++ ASSERT_EQ(ret, 0); ++ ++ ASSERT_EQ(oci_spec->process->capabilities->bounding_len, 1); ++ ASSERT_EQ(oci_spec->process->capabilities->effective_len, 1); ++ ASSERT_EQ(oci_spec->process->capabilities->permitted_len, 1); ++ ++ free_oci_runtime_spec(oci_spec); ++} +diff --git a/test/specs/specs_extend/CMakeLists.txt b/test/specs/specs_extend/CMakeLists.txt +index 294690e8..bf4b378e 100644 +--- a/test/specs/specs_extend/CMakeLists.txt ++++ b/test/specs/specs_extend/CMakeLists.txt +@@ -14,6 +14,7 @@ add_executable(${EXE} + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/utils/cutils/util_atomic.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/utils/cutils/utils_mount_spec.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/utils/cutils/utils_fs.c ++ ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/utils/cutils/utils_cap.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/utils/sha256/sha256.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/utils/cutils/path.c + ${CMAKE_CURRENT_SOURCE_DIR}/../../../src/utils/cutils/map/map.c +-- +2.42.0 + diff --git a/0009-remove-unneccessary-strerror.patch b/0009-remove-unneccessary-strerror.patch deleted file mode 100644 index 242d385..0000000 --- a/0009-remove-unneccessary-strerror.patch +++ /dev/null @@ -1,2669 +0,0 @@ -From 3536723347722180d8964edf7687bef6343edc77 Mon Sep 17 00:00:00 2001 -From: haozi007 -Date: Mon, 4 Sep 2023 10:44:35 +0800 -Subject: [PATCH 09/32] remove unneccessary strerror - -1. use SYS-log to replace log; -2. remove unuseful strerror; - -Signed-off-by: haozi007 ---- - src/cmd/isula/base/create.c | 4 +- - src/cmd/isula/base/start.c | 2 +- - src/cmd/isula/extend/export.c | 2 +- - src/cmd/isula/images/images.c | 2 +- - src/cmd/isula/images/import.c | 2 +- - src/cmd/isula/images/load.c | 2 +- - src/cmd/isula/images/login.c | 6 +- - src/cmd/isula/isula_host_spec.c | 2 +- - src/cmd/isula/stream/attach.c | 2 +- - src/cmd/isula/stream/exec.c | 4 +- - src/cmd/isulad/main.c | 18 +-- - src/daemon/common/cgroup.c | 4 +- - src/daemon/common/sysinfo.c | 6 +- - src/daemon/entry/connect/grpc/grpc_service.cc | 2 +- - src/daemon/entry/connect/rest/rest_service.c | 4 +- - .../entry/cri/streams/websocket/ws_server.cc | 8 +- - .../cri_pod_sandbox_manager_service.cc | 2 +- - src/daemon/executor/container_cb/execution.c | 8 +- - .../container_cb/execution_information.c | 2 +- - .../executor/container_cb/execution_stream.c | 20 +-- - .../container/container_gc/containers_gc.c | 4 +- - src/daemon/modules/container/container_unix.c | 2 +- - .../container/leftover_cleanup/cleanup.c | 2 +- - .../modules/container/supervisor/supervisor.c | 6 +- - src/daemon/modules/events/monitord.c | 8 +- - .../modules/events_sender/event_sender.c | 2 +- - .../modules/image/embedded/db/sqlite_common.c | 2 +- - src/daemon/modules/image/external/ext_image.c | 2 +- - .../modules/image/image_rootfs_handler.c | 4 +- - src/daemon/modules/image/oci/oci_load.c | 2 +- - .../modules/image/oci/registry/registry.c | 11 +- - .../graphdriver/devmapper/deviceset.c | 10 +- - .../graphdriver/devmapper/wrapper_devmapper.c | 4 +- - .../oci/storage/layer_store/layer_store.c | 10 +- - .../modules/image/oci/storage/storage.c | 2 +- - src/daemon/modules/image/oci/utils_images.c | 6 +- - src/daemon/modules/log/log_gather.c | 18 +-- - .../network/cni_operator/libcni/libcni_conf.c | 2 +- - .../modules/runtime/engines/lcr/lcr_rt_ops.c | 6 +- - .../modules/runtime/isula/isula_rt_ops.c | 10 +- - .../modules/runtime/shim/shim_rt_monitor.cc | 2 +- - src/daemon/modules/runtime/shim/shim_rt_ops.c | 4 +- - src/daemon/modules/service/io_handler.c | 4 +- - .../modules/service/service_container.c | 13 +- - src/daemon/modules/service/service_network.c | 6 +- - src/daemon/modules/spec/specs.c | 2 +- - src/daemon/modules/spec/specs_mount.c | 2 +- - src/daemon/modules/spec/verify.c | 6 +- - src/daemon/modules/volume/local.c | 12 +- - src/daemon/sandbox/sandbox.cc | 2 +- - src/utils/console/console.c | 16 +-- - src/utils/cutils/network_namespace.c | 2 +- - src/utils/cutils/path.c | 4 +- - src/utils/cutils/utils.c | 12 +- - src/utils/cutils/utils_aes.c | 16 +-- - src/utils/cutils/utils_base64.c | 4 +- - src/utils/cutils/utils_file.c | 80 ++++++------ - src/utils/cutils/utils_fs.c | 12 +- - src/utils/cutils/utils_port.c | 14 +-- - src/utils/cutils/utils_verify.c | 2 +- - src/utils/http/http.c | 2 +- - src/utils/sha256/sha256.c | 8 +- - src/utils/tar/isulad_tar.c | 12 +- - src/utils/tar/util_archive.c | 118 ++++++++---------- - src/utils/tar/util_gzip.c | 12 +- - 65 files changed, 282 insertions(+), 300 deletions(-) - -diff --git a/src/cmd/isula/base/create.c b/src/cmd/isula/base/create.c -index ecb197bc..aa90c5d6 100644 ---- a/src/cmd/isula/base/create.c -+++ b/src/cmd/isula/base/create.c -@@ -1945,7 +1945,7 @@ static int check_hook_spec_file(const char *hook_spec) - return -1; - } - if (stat(hook_spec, &hookstat)) { -- COMMAND_ERROR("Stat hook spec file failed: %s", strerror(errno)); -+ CMD_SYSERROR("Stat hook spec file failed"); - return -1; - } - if ((hookstat.st_mode & S_IFMT) != S_IFREG) { -@@ -1987,7 +1987,7 @@ static int create_check_rootfs(struct client_arguments *args) - if (args->create_rootfs != NULL) { - char real_path[PATH_MAX] = { 0 }; - if (realpath(args->create_rootfs, real_path) == NULL) { -- COMMAND_ERROR("Failed to get rootfs '%s': %s", args->create_rootfs, strerror(errno)); -+ CMD_SYSERROR("Failed to get rootfs '%s'.", args->create_rootfs); - ret = -1; - goto out; - } -diff --git a/src/cmd/isula/base/start.c b/src/cmd/isula/base/start.c -index ca3634e1..1d0f1256 100644 ---- a/src/cmd/isula/base/start.c -+++ b/src/cmd/isula/base/start.c -@@ -200,7 +200,7 @@ void client_wait_fifo_exit(const struct client_arguments *args) - void client_restore_console(bool reset_tty, const struct termios *oldtios, struct command_fifo_config *console_fifos) - { - if (reset_tty && tcsetattr(0, TCSAFLUSH, oldtios) < 0) { -- WARN("Failed to reset terminal properties: %s.", strerror(errno)); -+ SYSWARN("Failed to reset terminal properties."); - } - free_command_fifo_config(console_fifos); - sem_destroy(&g_console_waitopen_sem); -diff --git a/src/cmd/isula/extend/export.c b/src/cmd/isula/extend/export.c -index 68d17c82..d8f3574c 100644 ---- a/src/cmd/isula/extend/export.c -+++ b/src/cmd/isula/extend/export.c -@@ -114,7 +114,7 @@ int cmd_export_main(int argc, const char **argv) - int sret; - char cwd[PATH_MAX] = { 0 }; - if (!getcwd(cwd, sizeof(cwd))) { -- COMMAND_ERROR("get cwd failed:%s", strerror(errno)); -+ CMD_SYSERROR("get cwd failed"); - exit(ECOMMON); - } - sret = snprintf(file, sizeof(file), "%s/%s", cwd, g_cmd_export_args.file); -diff --git a/src/cmd/isula/images/images.c b/src/cmd/isula/images/images.c -index bff07f76..bd9dc18b 100644 ---- a/src/cmd/isula/images/images.c -+++ b/src/cmd/isula/images/images.c -@@ -65,7 +65,7 @@ static char *trans_time(int64_t created) - time_t created_time = (time_t)created; - - if (!localtime_r(&created_time, &t)) { -- ERROR("translate time for created failed: %s", strerror(errno)); -+ SYSERROR("translate time for created failed."); - return NULL; - } - -diff --git a/src/cmd/isula/images/import.c b/src/cmd/isula/images/import.c -index 7b6eb2a9..f28fe04c 100644 ---- a/src/cmd/isula/images/import.c -+++ b/src/cmd/isula/images/import.c -@@ -126,7 +126,7 @@ int cmd_import_main(int argc, const char **argv) - int len = 0; - - if (!getcwd(cwd, sizeof(cwd))) { -- COMMAND_ERROR("get cwd failed:%s", strerror(errno)); -+ CMD_SYSERROR("get cwd failed"); - exit(exit_code); - } - -diff --git a/src/cmd/isula/images/load.c b/src/cmd/isula/images/load.c -index 688edd02..314e5d5e 100644 ---- a/src/cmd/isula/images/load.c -+++ b/src/cmd/isula/images/load.c -@@ -150,7 +150,7 @@ int cmd_load_main(int argc, const char **argv) - int len; - - if (!getcwd(cwd, sizeof(cwd))) { -- COMMAND_ERROR("get cwd failed:%s", strerror(errno)); -+ CMD_SYSERROR("get cwd failed"); - exit(exit_code); - } - -diff --git a/src/cmd/isula/images/login.c b/src/cmd/isula/images/login.c -index c35cb579..1c3b06ea 100644 ---- a/src/cmd/isula/images/login.c -+++ b/src/cmd/isula/images/login.c -@@ -99,7 +99,7 @@ static int get_password_from_notty(struct client_arguments *args) - return -1; - } - if (n < 0) { -- COMMAND_ERROR("Get password from notty stdin failed: %s", strerror(errno)); -+ CMD_SYSERROR("Get password from notty stdin failed"); - return -1; - } - args->password = util_strdup_s(password); -@@ -126,7 +126,7 @@ static int get_auth_from_terminal(struct client_arguments *args) - COMMAND_ERROR("Error: Cannot perform an interactive login from a non TTY device"); - return -1; - } -- COMMAND_ERROR("Get username failed: %s", strerror(errno)); -+ CMD_SYSERROR("Get username failed"); - return -1; - } - args->username = util_strdup_s(username); -@@ -145,7 +145,7 @@ static int get_auth_from_terminal(struct client_arguments *args) - COMMAND_ERROR("Error: Cannot perform an interactive login from a non TTY device"); - return -1; - } -- COMMAND_ERROR("Get password failed: %s", strerror(errno)); -+ CMD_SYSERROR("Get password failed"); - return -1; - } - args->password = util_strdup_s(password); -diff --git a/src/cmd/isula/isula_host_spec.c b/src/cmd/isula/isula_host_spec.c -index 765c44c0..9fa08bd2 100644 ---- a/src/cmd/isula/isula_host_spec.c -+++ b/src/cmd/isula/isula_host_spec.c -@@ -771,7 +771,7 @@ uint64_t get_proc_mem_size(const char *item) - - fp = util_fopen("/proc/meminfo", "r"); - if (fp == NULL) { -- ERROR("Failed to open /proc/meminfo: %s", strerror(errno)); -+ SYSERROR("Failed to open /proc/meminfo"); - return sysmem_limit; - } - -diff --git a/src/cmd/isula/stream/attach.c b/src/cmd/isula/stream/attach.c -index 02c67e30..ff49af92 100644 ---- a/src/cmd/isula/stream/attach.c -+++ b/src/cmd/isula/stream/attach.c -@@ -376,7 +376,7 @@ static int client_attach(struct client_arguments *args, uint32_t *exit_code) - if (errno == ETIMEDOUT) { - COMMAND_ERROR("Wait container status timeout."); - } else { -- COMMAND_ERROR("Failed to wait sem: %s", strerror(errno)); -+ CMD_SYSERROR("Failed to wait sem"); - } - ret = ECOMMON; - goto out; -diff --git a/src/cmd/isula/stream/exec.c b/src/cmd/isula/stream/exec.c -index bd8bd49a..209610be 100644 ---- a/src/cmd/isula/stream/exec.c -+++ b/src/cmd/isula/stream/exec.c -@@ -356,7 +356,7 @@ static int remote_cmd_exec(const struct client_arguments *args, uint32_t *exit_c - - out: - if (reset_tty && tcsetattr(0, TCSAFLUSH, &oldtios) < 0) { -- WARN("Failed to reset terminal properties: %s.", strerror(errno)); -+ SYSWARN("Failed to reset terminal properties."); - } - if (response->exit_code != 0) { - *exit_code = response->exit_code; -@@ -387,7 +387,7 @@ out: - sem_destroy(&g_command_waitopen_sem); - sem_destroy(&g_command_waitexit_sem); - if (reset_tty && tcsetattr(0, TCSAFLUSH, &oldtios) < 0) { -- WARN("Failed to reset terminal properties: %s.", strerror(errno)); -+ SYSWARN("Failed to reset terminal properties."); - } - return ret; - } -diff --git a/src/cmd/isulad/main.c b/src/cmd/isulad/main.c -index b32b6626..39cde6aa 100644 ---- a/src/cmd/isulad/main.c -+++ b/src/cmd/isulad/main.c -@@ -179,7 +179,7 @@ static int mount_rootfs_mnt_dir(const char *mountdir) - if (info == NULL) { - ret = mount(rootfsdir, rootfsdir, "bind", MS_BIND | MS_REC, NULL); - if (ret < 0) { -- ERROR("Failed to mount parent directory %s:%s", rootfsdir, strerror(errno)); -+ SYSERROR("Failed to mount parent directory %s.", rootfsdir); - goto out; - } - } -@@ -212,7 +212,7 @@ static int umount_rootfs_mnt_dir(const char *mntdir) - - ret = umount(dir); - if (ret < 0 && errno != EINVAL) { -- WARN("Failed to umount parent directory %s:%s", dir, strerror(errno)); -+ SYSWARN("Failed to umount parent directory %s.", dir); - goto out; - } - -@@ -252,7 +252,7 @@ static void clean_residual_files() - if (checked_flag == NULL) { - ERROR("Failed to get image checked flag file path"); - } else if (unlink_ignore_enoent(checked_flag)) { -- ERROR("Unlink file: %s error: %s", checked_flag, strerror(errno)); -+ SYSERROR("Unlink file: %s.", checked_flag); - } - free(checked_flag); - -@@ -261,7 +261,7 @@ static void clean_residual_files() - if (fname == NULL) { - ERROR("Failed to get isulad pid file path"); - } else if (unlink(fname) && errno != ENOENT) { -- WARN("Unlink file: %s error: %s", fname, strerror(errno)); -+ SYSWARN("Unlink file: %s.", fname); - } - free(fname); - } -@@ -472,7 +472,7 @@ int check_and_save_pid(const char *fn) - - ret = ftruncate(fd, 0); - if (ret != 0) { -- ERROR("Failed to truncate pid file:%s to 0: %s", fn, strerror(errno)); -+ SYSERROR("Failed to truncate pid file:%s to 0.", fn); - ret = -1; - goto out; - } -@@ -486,7 +486,7 @@ int check_and_save_pid(const char *fn) - - len = util_write_nointr(fd, pidbuf, strlen(pidbuf)); - if (len < 0 || (size_t)len != strlen(pidbuf)) { -- ERROR("Failed to write pid to file:%s: %s", fn, strerror(errno)); -+ SYSERROR("Failed to write pid to file:%s.", fn); - ret = -1; - } - out: -@@ -527,7 +527,7 @@ static int check_hook_spec_file(const char *hook_spec) - return -1; - } - if (stat(hook_spec, &hookstat)) { -- ERROR("Stat hook spec file failed: %s", strerror(errno)); -+ SYSERROR("Stat hook spec file failed."); - return -1; - } - if ((hookstat.st_mode & S_IFMT) != S_IFREG) { -@@ -589,7 +589,7 @@ static void update_isulad_rlimits() - limit.rlim_cur = RLIM_INFINITY; - limit.rlim_max = RLIM_INFINITY; - if (setrlimit(RLIMIT_CORE, &limit)) { -- SYSWARN("Can not set ulimit of RLIMIT_CORE"); -+ SYSWARN("Can not set ulimit of RLIMIT_CORE."); - } - } - -@@ -813,7 +813,7 @@ static int overlay_supports_selinux(bool *supported) - *supported = false; - fp = fopen("/proc/kallsyms", "re"); - if (fp == NULL) { -- ERROR("Failed to open /proc/kallsyms: %s", strerror(errno)); -+ SYSERROR("Failed to open /proc/kallsyms."); - return -1; - } - __fsetlocking(fp, FSETLOCKING_BYCALLER); -diff --git a/src/daemon/common/cgroup.c b/src/daemon/common/cgroup.c -index a351704b..2d1cabb2 100644 ---- a/src/daemon/common/cgroup.c -+++ b/src/daemon/common/cgroup.c -@@ -596,7 +596,7 @@ int common_get_cgroup_version(void) - struct statfs fs = { 0 }; - - if (statfs(CGROUP_MOUNTPOINT, &fs) != 0) { -- ERROR("failed to statfs %s: %s", CGROUP_MOUNTPOINT, strerror(errno)); -+ SYSERROR("failed to statfs %s", CGROUP_MOUNTPOINT); - return -1; - } - -@@ -649,7 +649,7 @@ static int cgroup2_enable_all() - ret = util_write_file(CGROUP2_SUBTREE_CONTROLLER_PATH, enable_controllers, strlen(enable_controllers), - DEFAULT_CGROUP_FILE_MODE); - if (ret != 0) { -- ERROR("write %s to %s failed: %s", enable_controllers, CGROUP2_SUBTREE_CONTROLLER_PATH, strerror(errno)); -+ SYSERROR("write %s to %s failed", enable_controllers, CGROUP2_SUBTREE_CONTROLLER_PATH); - goto out; - } - -diff --git a/src/daemon/common/sysinfo.c b/src/daemon/common/sysinfo.c -index c83ff12f..957b370b 100644 ---- a/src/daemon/common/sysinfo.c -+++ b/src/daemon/common/sysinfo.c -@@ -108,7 +108,7 @@ uint64_t get_default_total_mem_size(void) - - fp = util_fopen("/proc/meminfo", "r"); - if (fp == NULL) { -- ERROR("Failed to open /proc/meminfo: %s", strerror(errno)); -+ SYSERROR("Failed to open /proc/meminfo."); - return sysmem_limit; - } - -@@ -148,10 +148,10 @@ char *get_operating_system(void) - - fp = fopen(etcOsRelease, "r"); - if (fp == NULL) { -- INFO("Failed to open %s :%s", etcOsRelease, strerror(errno)); -+ SYSINFO("Failed to open %s.", etcOsRelease); - fp = fopen(altOsRelease, "r"); - if (fp == NULL) { -- ERROR("Failed to open %s :%s", altOsRelease, strerror(errno)); -+ SYSERROR("Failed to open %s.", altOsRelease); - goto out; - } - } -diff --git a/src/daemon/entry/connect/grpc/grpc_service.cc b/src/daemon/entry/connect/grpc/grpc_service.cc -index 5adfd964..4e1ae019 100644 ---- a/src/daemon/entry/connect/grpc/grpc_service.cc -+++ b/src/daemon/entry/connect/grpc/grpc_service.cc -@@ -117,7 +117,7 @@ public: - for (const auto &address : m_socketPath) { - if (address.find(UNIX_SOCKET_PREFIX) == 0) { - if (unlink(address.c_str() + strlen(UNIX_SOCKET_PREFIX)) < 0 && errno != ENOENT) { -- WARN("Failed to remove '%s':%s", address.c_str(), strerror(errno)); -+ SYSWARN("Failed to remove '%s'.", address.c_str()); - } - } - } -diff --git a/src/daemon/entry/connect/rest/rest_service.c b/src/daemon/entry/connect/rest/rest_service.c -index 818e729d..c73fed66 100644 ---- a/src/daemon/entry/connect/rest/rest_service.c -+++ b/src/daemon/entry/connect/rest/rest_service.c -@@ -149,7 +149,7 @@ int rest_server_init(const char *socket, daemon_shutdown_cb_t shutdown_cb) - } - - if (unlink(g_socketpath + strlen(UNIX_SOCKET_PREFIX)) < 0 && errno != ENOENT) { -- ERROR("Failed to remove '%s':%s, abort", strerror(errno), g_socketpath); -+ SYSERROR("Failed to remove '%s', abort", g_socketpath); - goto error_out; - } - -@@ -190,7 +190,7 @@ void rest_server_shutdown(void) - - if (g_socketpath != NULL) { - if (unlink(g_socketpath + strlen(UNIX_SOCKET_PREFIX)) < 0 && errno != ENOENT) { -- ERROR("Failed to remove '%s':%s", g_socketpath, strerror(errno)); -+ SYSERROR("Failed to remove '%s'.", g_socketpath); - } - } - } -diff --git a/src/daemon/entry/cri/streams/websocket/ws_server.cc b/src/daemon/entry/cri/streams/websocket/ws_server.cc -index 3bb619d8..972c971f 100644 ---- a/src/daemon/entry/cri/streams/websocket/ws_server.cc -+++ b/src/daemon/entry/cri/streams/websocket/ws_server.cc -@@ -133,7 +133,7 @@ int WebsocketServer::CreateContext() - newLimit.rlim_max = WS_ULIMIT_FDS; - int limited = prlimit(0, RLIMIT_NOFILE, &newLimit, &oldLimit); - if (limited != 0) { -- WARN("Can not set ulimit of RLIMIT_NOFILE: %s", strerror(errno)); -+ SYSWARN("Can not set ulimit of RLIMIT_NOFILE"); - } - m_context = lws_create_context(&info); - if (m_context == nullptr) { -@@ -142,7 +142,7 @@ int WebsocketServer::CreateContext() - } - if (limited == 0) { - if (setrlimit(static_cast(RLIMIT_NOFILE), &oldLimit) != 0) { -- WARN("Can not set ulimit of RLIMIT_NOFILE: %s", strerror(errno)); -+ SYSWARN("Can not set ulimit of RLIMIT_NOFILE"); - } - } - -@@ -441,7 +441,7 @@ void WebsocketServer::Receive(int socketID, void *in, size_t len, bool complete) - DEBUG("Receive remaning stdin data with length %zu", len); - // Too much data may cause error 'resource temporarily unavaliable' by using 'write' - if (util_write_nointr_in_total(m_wsis[socketID]->pipes.at(1), static_cast(in), len) < 0) { -- ERROR("Sub write over! err msg: %s", strerror(errno)); -+ SYSERROR("Sub write over!"); - } - goto out; - } -@@ -458,7 +458,7 @@ void WebsocketServer::Receive(int socketID, void *in, size_t len, bool complete) - - if (*static_cast(in) == WebsocketChannel::STDINCHANNEL) { - if (util_write_nointr_in_total(m_wsis[socketID]->pipes.at(1), static_cast(in) + 1, len - 1) < 0) { -- ERROR("Sub write over! err msg: %s", strerror(errno)); -+ SYSERROR("Sub write over!"); - } - goto out; - } -diff --git a/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.cc b/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.cc -index c24c1f69..6e8f40b9 100644 ---- a/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.cc -+++ b/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.cc -@@ -853,7 +853,7 @@ auto PodSandboxManagerService::ClearCniNetwork(const std::string &realSandboxID, - } - // umount netns when cni removed network successfully - if (remove_network_namespace(netnsPath.c_str()) != 0) { -- ERROR("Failed to umount directory %s:%s", netnsPath.c_str(), strerror(errno)); -+ SYSERROR("Failed to umount directory %s.", netnsPath.c_str()); - } - } - -diff --git a/src/daemon/executor/container_cb/execution.c b/src/daemon/executor/container_cb/execution.c -index dbfec59e..d3571b7f 100644 ---- a/src/daemon/executor/container_cb/execution.c -+++ b/src/daemon/executor/container_cb/execution.c -@@ -277,7 +277,7 @@ static int prepare_start_io(container_t *cont, const container_start_request *re - - *sync_fd = eventfd(0, EFD_CLOEXEC); - if (*sync_fd < 0) { -- ERROR("Failed to create eventfd: %s", strerror(errno)); -+ SYSERROR("Failed to create eventfd."); - ret = -1; - goto out; - } -@@ -344,13 +344,13 @@ static int maybe_create_cpu_realtime_file(int64_t value, const char *file, const - - fd = util_open(fpath, O_WRONLY | O_TRUNC | O_CREAT | O_CLOEXEC, 0700); - if (fd < 0) { -- ERROR("Failed to open file: %s: %s", fpath, strerror(errno)); -+ SYSERROR("Failed to open file: %s.", fpath); - isulad_set_error_message("Failed to open file: %s: %s", fpath, strerror(errno)); - return -1; - } - nwrite = util_write_nointr(fd, buf, strlen(buf)); - if (nwrite < 0 || (size_t)nwrite != strlen(buf)) { -- ERROR("Failed to write %s to %s: %s", buf, fpath, strerror(errno)); -+ SYSERROR("Failed to write %s to %s.", buf, fpath); - isulad_set_error_message("Failed to write '%s' to '%s': %s", buf, fpath, strerror(errno)); - return -1; - } -@@ -485,7 +485,7 @@ static void handle_start_io_thread_by_cc(uint32_t cc, int sync_fd, pthread_t thr - } else { - if (sync_fd >= 0) { - if (eventfd_write(sync_fd, 1) < 0) { -- ERROR("Failed to write eventfd: %s", strerror(errno)); -+ SYSERROR("Failed to write eventfd."); - } - } - if (thread_id > 0) { -diff --git a/src/daemon/executor/container_cb/execution_information.c b/src/daemon/executor/container_cb/execution_information.c -index 93e5032e..2f3d3627 100644 ---- a/src/daemon/executor/container_cb/execution_information.c -+++ b/src/daemon/executor/container_cb/execution_information.c -@@ -522,7 +522,7 @@ void execute_ps_command(char **args, const char *pid_args, size_t args_len) - - execvp("ps", params); - -- COMMAND_ERROR("Cannot get ps info with '%s':%s", pid_args, strerror(errno)); -+ CMD_SYSERROR("Cannot get ps info with '%s'.", pid_args); - - out: - exit(EXIT_FAILURE); -diff --git a/src/daemon/executor/container_cb/execution_stream.c b/src/daemon/executor/container_cb/execution_stream.c -index 244ec6a0..7e84cca3 100644 ---- a/src/daemon/executor/container_cb/execution_stream.c -+++ b/src/daemon/executor/container_cb/execution_stream.c -@@ -265,7 +265,7 @@ static int attach_prepare_console(const container_t *cont, const container_attac - - *sync_fd = eventfd(0, EFD_CLOEXEC); - if (*sync_fd < 0) { -- ERROR("Failed to create eventfd: %s", strerror(errno)); -+ SYSERROR("Failed to create eventfd."); - ret = -1; - goto out; - } -@@ -295,7 +295,7 @@ static void handle_attach_io_thread_by_cc(uint32_t cc, int sync_fd, pthread_t th - } else { - if (sync_fd >= 0) { - if (eventfd_write(sync_fd, 1) < 0) { -- ERROR("Failed to write eventfd: %s", strerror(errno)); -+ SYSERROR("Failed to write eventfd."); - } - } - if (thread_id > 0) { -@@ -535,7 +535,7 @@ static container_path_stat *do_container_stat_path(const char *rootpath, const c - - nret = lstat(resolvedpath, &st); - if (nret < 0) { -- ERROR("lstat %s: %s", resolvedpath, strerror(errno)); -+ SYSERROR("lstat %s failed.", resolvedpath); - isulad_set_error_message("lstat %s: %s", resolvedpath, strerror(errno)); - goto cleanup; - } -@@ -921,7 +921,7 @@ static int copy_to_container_check_path_valid(const container_t *cont, const cha - - nret = lstat(resolvedpath, &st); - if (nret < 0) { -- ERROR("lstat %s: %s", resolvedpath, strerror(errno)); -+ SYSERROR("lstat %s failed", resolvedpath); - isulad_set_error_message("lstat %s: %s", resolvedpath, strerror(errno)); - goto cleanup; - } -@@ -1092,11 +1092,11 @@ static int64_t do_read_log_file(const char *path, int64_t require_line, long pos - util_usleep_nointerupt(1000); - } - if (fp == NULL) { -- ERROR("open file: %s failed: %s", path, strerror(errno)); -+ SYSERROR("open file: %s failed.", path); - return -1; - } - if (pos > 0 && fseek(fp, pos, SEEK_SET) != 0) { -- ERROR("fseek to %ld failed: %s", pos, strerror(errno)); -+ SYSERROR("fseek to %ld failed.", pos); - read_lines = -1; - goto out; - } -@@ -1211,12 +1211,12 @@ static int do_tail_find(FILE *fp, int64_t require_line, int64_t *get_line, long - int ret = -1; - - if (fseek(fp, 0L, SEEK_END) != 0) { -- ERROR("Fseek failed: %s", strerror(errno)); -+ SYSERROR("Fseek failed"); - goto out; - } - len = ftell(fp); - if (len < 0) { -- ERROR("Ftell failed: %s", strerror(errno)); -+ SYSERROR("Ftell failed"); - goto out; - } - if (len < SECTION_SIZE) { -@@ -1228,7 +1228,7 @@ static int do_tail_find(FILE *fp, int64_t require_line, int64_t *get_line, long - } - while (true) { - if (fseek(fp, pos, SEEK_SET) != 0) { -- ERROR("Fseek failed: %s", strerror(errno)); -+ SYSERROR("Fseek failed"); - goto out; - } - read_size = fread(buffer, sizeof(char), (size_t)step_size, fp); -@@ -1275,7 +1275,7 @@ static int util_find_tail_position(const char *file_name, int64_t require_line, - - fp = util_fopen(file_name, "rb"); - if (fp == NULL) { -- ERROR("open file: %s failed: %s", file_name, strerror(errno)); -+ SYSERROR("open file: %s failed.", file_name); - return -1; - } - -diff --git a/src/daemon/modules/container/container_gc/containers_gc.c b/src/daemon/modules/container/container_gc/containers_gc.c -index 9feb6d3c..8d0647ab 100644 ---- a/src/daemon/modules/container/container_gc/containers_gc.c -+++ b/src/daemon/modules/container/container_gc/containers_gc.c -@@ -83,14 +83,14 @@ static int save_gc_config(const char *json_gc_config) - - fd = util_open(filename, O_CREAT | O_TRUNC | O_CLOEXEC | O_WRONLY, CONFIG_FILE_MODE); - if (fd == -1) { -- ERROR("Create file %s failed: %s", filename, strerror(errno)); -+ SYSERROR("Create file %s failed.", filename); - ret = -1; - goto out; - } - - nret = util_write_nointr(fd, json_gc_config, strlen(json_gc_config)); - if (nret < 0 || (size_t)nret != strlen(json_gc_config)) { -- ERROR("write %s failed: %s", filename, strerror(errno)); -+ SYSERROR("write %s failed.", filename); - ret = -1; - } - close(fd); -diff --git a/src/daemon/modules/container/container_unix.c b/src/daemon/modules/container/container_unix.c -index 07d9a0e8..e8c98441 100644 ---- a/src/daemon/modules/container/container_unix.c -+++ b/src/daemon/modules/container/container_unix.c -@@ -517,7 +517,7 @@ static int save_json_config_file(const char *id, const char *rootpath, const cha - - nret = util_atomic_write_file(filename, json_data, strlen(json_data), CONFIG_FILE_MODE, false); - if (nret != 0) { -- ERROR("Write file %s failed: %s", filename, strerror(errno)); -+ SYSERROR("Write file %s failed.", filename); - isulad_set_error_message("Write file '%s' failed: %s", filename, strerror(errno)); - ret = -1; - } -diff --git a/src/daemon/modules/container/leftover_cleanup/cleanup.c b/src/daemon/modules/container/leftover_cleanup/cleanup.c -index c86e3db9..9a38ffc2 100644 ---- a/src/daemon/modules/container/leftover_cleanup/cleanup.c -+++ b/src/daemon/modules/container/leftover_cleanup/cleanup.c -@@ -158,7 +158,7 @@ static bool walk_isulad_tmpdir_cb(const char *path_name, const struct dirent *su - - if (util_detect_mounted(tmpdir)) { - if (umount(tmpdir) != 0) { -- ERROR("Failed to umount target %s, error: %s", tmpdir, strerror(errno)); -+ SYSERROR("Failed to umount target %s", tmpdir); - } - } - -diff --git a/src/daemon/modules/container/supervisor/supervisor.c b/src/daemon/modules/container/supervisor/supervisor.c -index 3ce4ec1e..829e48b1 100644 ---- a/src/daemon/modules/container/supervisor/supervisor.c -+++ b/src/daemon/modules/container/supervisor/supervisor.c -@@ -104,7 +104,7 @@ char *container_exit_fifo_create(const char *cont_state_path) - - ret = mknod(fifo_path, S_IFIFO | S_IRUSR | S_IWUSR, (dev_t)0); - if (ret < 0 && errno != EEXIST) { -- ERROR("Failed to mknod exit monitor fifo %s: %s.", fifo_path, strerror(errno)); -+ SYSERROR("Failed to mknod exit monitor fifo %s.", fifo_path); - return NULL; - } - -@@ -128,7 +128,7 @@ int container_exit_fifo_open(const char *cont_exit_fifo) - - ret = util_open(cont_exit_fifo, O_RDONLY | O_NONBLOCK, 0); - if (ret < 0) { -- ERROR("Failed to open exit monitor FIFO %s: %s.", cont_exit_fifo, strerror(errno)); -+ SYSERROR("Failed to open exit monitor FIFO %s.", cont_exit_fifo); - ret = -1; - goto out; - } -@@ -324,7 +324,7 @@ restart: - if (ret == 0) { - goto restart; - } -- ERROR("Mainloop returned an error: %s", strerror(errno)); -+ SYSERROR("Mainloop returned an error"); - - epoll_loop_close(&g_supervisor_descr); - -diff --git a/src/daemon/modules/events/monitord.c b/src/daemon/modules/events/monitord.c -index 775fb9ab..9edded7a 100644 ---- a/src/daemon/modules/events/monitord.c -+++ b/src/daemon/modules/events/monitord.c -@@ -113,18 +113,18 @@ static void *monitored(void *arg) - mhandler.fifo_path = fifo_file_path; - - if (mknod(fifo_file_path, S_IFIFO | S_IRUSR | S_IWUSR, (dev_t)0) && errno != EEXIST) { -- ERROR("Create monitored fifo file failed: %s", strerror(errno)); -+ SYSERROR("Create monitored fifo file failed"); - goto err; - } - - mhandler.fifo_fd = util_open(fifo_file_path, O_RDWR | O_NONBLOCK | O_CLOEXEC, 0); - if (mhandler.fifo_fd == -1) { -- ERROR("Open monitored fifo file failed: %s", strerror(errno)); -+ SYSERROR("Open monitored fifo file failed"); - goto err; - } - - if (fcntl(mhandler.fifo_fd, F_SETPIPE_SZ, EVENTS_FIFO_SIZE) == -1) { -- ERROR("Set events fifo buffer size failed: %s\n", strerror(errno)); -+ SYSERROR("Set events fifo buffer size failed"); - goto err; - } - -@@ -150,7 +150,7 @@ static void *monitored(void *arg) - ret = epoll_loop(&descr, -1); - } while (ret == 0); - -- ERROR("Mainloop returned an error: %s", strerror(errno)); -+ SYSERROR("Mainloop returned an error"); - goto err2; - - err: -diff --git a/src/daemon/modules/events_sender/event_sender.c b/src/daemon/modules/events_sender/event_sender.c -index a3903f3e..13f3c3e3 100644 ---- a/src/daemon/modules/events_sender/event_sender.c -+++ b/src/daemon/modules/events_sender/event_sender.c -@@ -52,7 +52,7 @@ static void isulad_monitor_fifo_send(const struct monitord_msg *msg) - goto out; - } - -- ERROR("Failed to open fifo to send message: %s.", strerror(errno)); -+ SYSERROR("Failed to open fifo to send message."); - goto out; - } - -diff --git a/src/daemon/modules/image/embedded/db/sqlite_common.c b/src/daemon/modules/image/embedded/db/sqlite_common.c -index 42fdf6d9..89f834a0 100644 ---- a/src/daemon/modules/image/embedded/db/sqlite_common.c -+++ b/src/daemon/modules/image/embedded/db/sqlite_common.c -@@ -49,7 +49,7 @@ int db_sqlite_init(const char *dbpath) - goto cleanup; - } - if (chmod(dbpath, DEFAULT_SECURE_FILE_MODE) != 0) { -- ERROR("Change mode of db file failed: %s", strerror(errno)); -+ SYSERROR("Change mode of db file failed."); - goto cleanup; - } - return 0; -diff --git a/src/daemon/modules/image/external/ext_image.c b/src/daemon/modules/image/external/ext_image.c -index d918f4ce..10af82a3 100644 ---- a/src/daemon/modules/image/external/ext_image.c -+++ b/src/daemon/modules/image/external/ext_image.c -@@ -65,7 +65,7 @@ int ext_prepare_rf(const im_prepare_request *request, char **real_rootfs) - return -1; - } - if (realpath(request->rootfs, real_path) == NULL) { -- ERROR("Failed to clean rootfs path '%s': %s", request->rootfs, strerror(errno)); -+ SYSERROR("Failed to clean rootfs path '%s'", request->rootfs); - isulad_set_error_message("Failed to clean rootfs path '%s': %s", request->rootfs, strerror(errno)); - return -1; - } -diff --git a/src/daemon/modules/image/image_rootfs_handler.c b/src/daemon/modules/image/image_rootfs_handler.c -index 1275658e..1a3f4307 100644 ---- a/src/daemon/modules/image/image_rootfs_handler.c -+++ b/src/daemon/modules/image/image_rootfs_handler.c -@@ -434,7 +434,7 @@ static int read_user_file(const char *basefs, const char *user_path, FILE **stre - - *stream = util_fopen(real_path, "r"); - if (*stream == NULL) { -- WARN("Failed to open %s: %s", real_path, strerror(errno)); -+ SYSWARN("Failed to open %s.", real_path); - ret = 0; - goto out; - } -@@ -455,7 +455,7 @@ static int resolve_basefs(const char *basefs, char **resolved_basefs) - } - - if (stat(real_path, &s) < 0) { -- ERROR("stat failed, error: %s", strerror(errno)); -+ SYSERROR("stat failed."); - return -1; - } - -diff --git a/src/daemon/modules/image/oci/oci_load.c b/src/daemon/modules/image/oci/oci_load.c -index 4385e55e..d2efab81 100644 ---- a/src/daemon/modules/image/oci/oci_load.c -+++ b/src/daemon/modules/image/oci/oci_load.c -@@ -1045,7 +1045,7 @@ static char *oci_load_path_create() - } - - if (mkdtemp(tmp_dir) == NULL) { -- ERROR("make temporary dir failed: %s", strerror(errno)); -+ SYSERROR("make temporary dir failed"); - isulad_try_set_error_message("make temporary dir failed: %s", strerror(errno)); - ret = -1; - goto out; -diff --git a/src/daemon/modules/image/oci/registry/registry.c b/src/daemon/modules/image/oci/registry/registry.c -index 62d0c35e..5c660bc9 100644 ---- a/src/daemon/modules/image/oci/registry/registry.c -+++ b/src/daemon/modules/image/oci/registry/registry.c -@@ -445,7 +445,7 @@ static int add_cached_layer(char *blob_digest, char *file, thread_fetch_info *in - } - - if (link(src_file, file) != 0) { -- ERROR("link %s to %s failed: %s", src_file, file, strerror(errno)); -+ SYSERROR("link %s to %s failed", src_file, file); - ret = -1; - goto out; - } -@@ -1147,7 +1147,7 @@ static void set_cached_layers_info(char *blob_digest, char *diffid, int result, - continue; - } - if (link(src_file, elem->file) != 0) { -- ERROR("link %s to %s failed: %s", src_file, elem->file, strerror(errno)); -+ SYSERROR("link %s to %s failed", src_file, elem->file); - info->desc->cancel = true; - continue; - } -@@ -1429,8 +1429,7 @@ static void *register_layers_in_thread(void *arg) - // here we can't just break and cleanup resources because threads are running. - // desc is freed if we break and then isulad crash. sleep some time - // instead to avoid cpu full running and then retry. -- ERROR("condition wait for layer %zu to complete failed, ret %d, error: %s", i, cond_ret, -- strerror(errno)); -+ SYSERROR("condition wait for layer %zu to complete failed, ret %d", i, cond_ret); - sleep(10); - continue; - } -@@ -1615,7 +1614,7 @@ static int fetch_all(pull_descriptor *desc) - // here we can't just break and cleanup resources because threads are running. - // desc is freed if we break and then isulad crash. sleep some time - // instead to avoid cpu full running and then retry. -- ERROR("condition wait for all layers to complete failed, ret %d, error: %s", cond_ret, strerror(errno)); -+ SYSERROR("condition wait for all layers to complete failed, ret %d", cond_ret); - sleep(10); - continue; - } -@@ -1909,7 +1908,7 @@ static int prepare_pull_desc(pull_descriptor *desc, registry_pull_options *optio - } - - if (mkdtemp(blobpath) == NULL) { -- ERROR("make temporary direcory failed: %s", strerror(errno)); -+ SYSERROR("make temporary direcory failed"); - ret = -1; - goto out; - } -diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c -index e2fcf37c..81e53ea7 100644 ---- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c -+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c -@@ -780,7 +780,7 @@ static int device_file_walk(struct device_set *devset) - } - - if (stat(fname, &st) != 0) { -- ERROR("devmapper: get %s stat error:%s", fname, strerror(errno)); -+ SYSERROR("devmapper: get %s stat failed", fname); - ret = -1; - goto out; - } -@@ -2202,7 +2202,7 @@ static int grow_fs(struct device_set *devset, image_devmapper_device_info *info) - - clean_mount: - if (umount2(FS_MOUNT_POINT, MNT_DETACH) < 0 && errno != EINVAL) { -- WARN("Failed to umount directory %s:%s", FS_MOUNT_POINT, strerror(errno)); -+ SYSWARN("Failed to umount directory %s", FS_MOUNT_POINT); - } - - out: -@@ -3148,7 +3148,7 @@ int unmount_device(const char *hash, const char *mount_path, struct device_set * - } - - if (umount2(mount_path, MNT_DETACH) < 0 && errno != EINVAL) { -- ERROR("Failed to umount directory %s:%s", mount_path, strerror(errno)); -+ SYSERROR("Failed to umount directory %s", mount_path); - ret = -1; - goto free_out; - } -@@ -3405,7 +3405,7 @@ static int umount_deactivate_dev_all(const struct device_set *devset) - } - - if (stat(fname, &st) != 0) { -- ERROR("devmapper: get %s stat error:%s", fname, strerror(errno)); -+ SYSERROR("devmapper: get %s stat failed", fname); - continue; - } - -@@ -3415,7 +3415,7 @@ static int umount_deactivate_dev_all(const struct device_set *devset) - } - - if (umount2(fname, MNT_DETACH) < 0 && errno != EINVAL) { -- ERROR("Failed to umount directory %s:%s", fname, strerror(errno)); -+ SYSERROR("Failed to umount directory %s", fname); - } - - device_info = lookup_device(devset, entry->d_name); -diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.c -index fc22bcfd..e91ddd1e 100644 ---- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.c -+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.c -@@ -448,7 +448,7 @@ void dev_udev_wait(uint32_t cookie) - } - - if (pthread_create(&tid, NULL, udev_wait_process, uwait) != 0) { -- ERROR("devmapper: create udev wait process thread error:%s", strerror(errno)); -+ SYSERROR("devmapper: create udev wait process thread error"); - free_udev_wait_pth_t(uwait); - return; - } -@@ -1191,7 +1191,7 @@ void dev_check_sem_set_stat(int *semusz, int *semmni) - } - - if (semctl(0, 0, SEM_INFO, &sinfo) != 0) { -- WARN("Get devmapper library version err:%s", strerror(errno)); -+ SYSWARN("Get devmapper library version err"); - return; - } - -diff --git a/src/daemon/modules/image/oci/storage/layer_store/layer_store.c b/src/daemon/modules/image/oci/storage/layer_store/layer_store.c -index ae1aba9c..ddf3a62c 100644 ---- a/src/daemon/modules/image/oci/storage/layer_store/layer_store.c -+++ b/src/daemon/modules/image/oci/storage/layer_store/layer_store.c -@@ -1844,7 +1844,7 @@ static int file_crc64(char *file, uint64_t *crc, uint64_t policy) - - fd = util_open(file, O_RDONLY, 0); - if (fd < 0) { -- ERROR("Open file: %s, failed: %s", file, strerror(errno)); -+ SYSERROR("Open file: %s, failed", file); - return -1; - } - -@@ -1866,7 +1866,7 @@ static int file_crc64(char *file, uint64_t *crc, uint64_t policy) - while (true) { - size = util_read_nointr(fd, buffer, BLKSIZE); - if (size < 0) { -- ERROR("read file %s failed: %s", file, strerror(errno)); -+ SYSERROR("read file %s failed", file); - ret = -1; - break; - } else if (size == 0) { -@@ -1914,7 +1914,7 @@ static int valid_crc64(storage_entry *entry, char *rootfs) - if (fname != NULL && util_has_prefix(fname, ".wh.")) { - goto out; - } -- ERROR("stat file or dir: %s, failed: %s", file, strerror(errno)); -+ SYSERROR("stat file or dir: %s, failed", file); - ret = -1; - } else { - if (strlen(entry->payload) != PAYLOAD_CRC_LEN) { -@@ -1981,7 +1981,7 @@ static tar_split *new_tar_split(layer_t *l, const char *tspath) - - ts->tmp_file = fopen(path, "w+"); - if (ts->tmp_file == NULL) { -- ERROR("create tmpfile failed: %s", strerror(errno)); -+ SYSERROR("create tmpfile failed"); - ret = -1; - goto out; - } -@@ -2019,7 +2019,7 @@ static int next_tar_split_entry(tar_split *ts, storage_entry **entry) - if (errno == 0) { - *entry = NULL; - } else { -- ERROR("error read line from tar split: %s", strerror(errno)); -+ SYSERROR("error read line from tar split"); - ret = -1; - } - goto out; -diff --git a/src/daemon/modules/image/oci/storage/storage.c b/src/daemon/modules/image/oci/storage/storage.c -index 07c3830b..d5e79207 100644 ---- a/src/daemon/modules/image/oci/storage/storage.c -+++ b/src/daemon/modules/image/oci/storage/storage.c -@@ -1444,7 +1444,7 @@ static int do_add_checked_layer(const char *lid, int fd, map_t *checked_layers) - // save checked layer ids into file - nret = util_write_nointr(fd, buf, strlen(lid) + 1); - if (nret < 0 || (size_t)nret != strlen(lid) + 1) { -- ERROR("Write checked layer data failed: %s", strerror(errno)); -+ SYSERROR("Write checked layer data failed"); - ret = -1; - goto out; - } -diff --git a/src/daemon/modules/image/oci/utils_images.c b/src/daemon/modules/image/oci/utils_images.c -index ad7fe0f4..a233c2b1 100644 ---- a/src/daemon/modules/image/oci/utils_images.c -+++ b/src/daemon/modules/image/oci/utils_images.c -@@ -560,7 +560,7 @@ static int makesure_path_is_dir(char *path) - if (errno == ENOENT) { - return util_mkdir_p(path, TEMP_DIRECTORY_MODE); - } -- ERROR("lstat %s failed: %s", path, strerror(errno)); -+ SYSERROR("lstat %s failed.", path); - return -1; - } - -@@ -620,7 +620,7 @@ int makesure_isulad_tmpdir_perm_right(const char *root_dir) - } - - if (lstat(isulad_tmpdir, &st) != 0) { -- ERROR("lstat %s failed: %s", isulad_tmpdir, strerror(errno)); -+ SYSERROR("lstat %s failed.", isulad_tmpdir); - ret = -1; - goto out; - } -@@ -631,7 +631,7 @@ int makesure_isulad_tmpdir_perm_right(const char *root_dir) - ret = 0; - goto out; - } else { -- ERROR("lchown %s failed: %s", isulad_tmpdir, strerror(errno)); -+ SYSERROR("lchown %s failed", isulad_tmpdir); - } - - out: -diff --git a/src/daemon/modules/log/log_gather.c b/src/daemon/modules/log/log_gather.c -index 9b400f00..773526a8 100644 ---- a/src/daemon/modules/log/log_gather.c -+++ b/src/daemon/modules/log/log_gather.c -@@ -66,7 +66,7 @@ static int file_rotate_gz(const char *file_name, int i) - } - - if (rename(from_path, to_path) < 0 && errno != ENOENT) { -- WARN("Rename file: %s error: %s", from_path, strerror(errno)); -+ SYSWARN("Rename file: %s failed", from_path); - return -1; - } - -@@ -85,7 +85,7 @@ static int file_rotate_me(const char *file_name) - } - - if (rename(file_name, tmp_path) < 0 && errno != ENOENT) { -- WARN("Rename file: %s error: %s", file_name, strerror(errno)); -+ SYSWARN("Rename file: %s failed", file_name); - return -1; - } - -@@ -142,7 +142,7 @@ static int create_fifo() - - ret = mknod(g_fifo_path, S_IFIFO | S_IRUSR | S_IWUSR, (dev_t)0); - if (ret != 0 && errno != EEXIST) { -- COMMAND_ERROR("mknod failed: %s", strerror(errno)); -+ CMD_SYSERROR("mknod failed"); - } else { - ret = 0; - } -@@ -157,12 +157,12 @@ static int open_log(bool change_size) - - fd = util_open(g_fifo_path, O_RDWR | O_CLOEXEC, 0); - if (fd == -1) { -- COMMAND_ERROR("open fifo %s failed: %s", g_fifo_path, strerror(errno)); -+ CMD_SYSERROR("open fifo %s failed", g_fifo_path); - return fd; - } - - if (change_size && fcntl(fd, F_SETPIPE_SZ, LOG_FIFO_SIZE) == -1) { -- COMMAND_ERROR("set fifo buffer size failed: %s", strerror(errno)); -+ CMD_SYSERROR("set fifo buffer size failed"); - close(fd); - return -1; - } -@@ -262,7 +262,7 @@ void main_loop() - int len = (int)util_read_nointr(g_fifo_fd, rev_buf, REV_BUF_SIZE); - if (len < 0) { - if (ecount < 2) { -- COMMAND_ERROR("%d: Read message failed: %s", ecount++, strerror(errno)); -+ CMD_SYSERROR("%d: Read message failed", ecount++); - } - continue; - } -@@ -270,7 +270,7 @@ void main_loop() - - rev_buf[len] = '\0'; - if (g_save_log_op(rev_buf, (size_t)len) < 0) { -- COMMAND_ERROR("write message failed: %s", strerror(errno)); -+ CMD_SYSERROR("write message failed"); - } - } - } -@@ -289,14 +289,14 @@ static int log_file_open() - } - fd = util_open(g_log_file, O_CREAT | O_WRONLY | O_APPEND, g_log_mode); - if (fd == -1) { -- COMMAND_ERROR("Open %s failed: %s", g_log_file, strerror(errno)); -+ CMD_SYSERROR("Open %s failed", g_log_file); - ret = -1; - goto out; - } - - /* change log file mode to config, if log file exist and with different mode */ - if (fchmod(fd, g_log_mode) != 0) { -- COMMAND_ERROR("Change mode of log file: %s failed: %s", g_log_file, strerror(errno)); -+ CMD_SYSERROR("Change mode of log file: %s failed", g_log_file); - close(fd); - ret = -1; - goto out; -diff --git a/src/daemon/modules/network/cni_operator/libcni/libcni_conf.c b/src/daemon/modules/network/cni_operator/libcni/libcni_conf.c -index 7489f8f3..cad92ce8 100644 ---- a/src/daemon/modules/network/cni_operator/libcni/libcni_conf.c -+++ b/src/daemon/modules/network/cni_operator/libcni/libcni_conf.c -@@ -90,7 +90,7 @@ static char *do_get_cni_net_confs_json(const char *filename) - - content = util_read_text_file(filename); - if (content == NULL) { -- ERROR("Read file %s failed: %s", filename, strerror(errno)); -+ SYSERROR("Read file %s failed", filename); - } - - return content; -diff --git a/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c b/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c -index 2b9cf39c..e985cfc1 100644 ---- a/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c -+++ b/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c -@@ -88,7 +88,7 @@ static int parse_container_pid(const char *S, pid_ppid_info_t *pid_info) - - num = sscanf(S, "%d %Lu %d %Lu", &pid_info->pid, &pid_info->start_time, &pid_info->ppid, &pid_info->pstart_time); - if (num != 4) { // args num to read is 4 -- ERROR("Call sscanf error: %s", errno ? strerror(errno) : ""); -+ SYSERROR("Call sscanf failed."); - return -1; - } - -@@ -210,7 +210,7 @@ static int remove_container_rootpath(const char *id, const char *root_path) - ret = util_recursive_rmdir(cont_root_path, 0); - if (ret != 0) { - const char *tmp_err = (errno != 0) ? strerror(errno) : "error"; -- ERROR("Failed to delete container's root directory %s: %s", cont_root_path, tmp_err); -+ SYSERROR("Failed to delete container's root directory %s.", cont_root_path); - isulad_set_error_message("Failed to delete container's root directory %s: %s", cont_root_path, tmp_err); - ret = -1; - goto out; -@@ -750,7 +750,7 @@ int rt_lcr_kill(const char *id, const char *runtime, const rt_kill_params_t *par - } else { - int ret = kill(params->pid, (int)params->signal); - if (ret < 0) { -- ERROR("Can not kill process (pid=%d) with signal %u: %s", params->pid, params->signal, strerror(errno)); -+ SYSERROR("Can not kill process (pid=%d) with signal %u.", params->pid, params->signal); - return -1; - } - } -diff --git a/src/daemon/modules/runtime/isula/isula_rt_ops.c b/src/daemon/modules/runtime/isula/isula_rt_ops.c -index 5a62cc37..786071a7 100644 ---- a/src/daemon/modules/runtime/isula/isula_rt_ops.c -+++ b/src/daemon/modules/runtime/isula/isula_rt_ops.c -@@ -390,7 +390,7 @@ static bool shim_alive(const char *workdir) - - ret = kill(pid, 0); - if (ret != 0) { -- INFO("kill 0 shim-pid with error: %s", strerror(errno)); -+ SYSINFO("kill 0 shim-pid with error."); - } - return ret == 0; - } -@@ -780,7 +780,7 @@ static int shim_create(bool fg, const char *id, const char *workdir, const char - - pid = fork(); - if (pid < 0) { -- ERROR("Failed fork for shim parent %s", strerror(errno)); -+ SYSERROR("Failed fork for shim parent"); - close(shim_stderr_pipe[0]); - close(shim_stderr_pipe[1]); - close(shim_stdout_pipe[0]); -@@ -856,7 +856,7 @@ realexec: - - status = util_wait_for_pid_status(pid); - if (status < 0) { -- ERROR("Failed wait shim-parent %d exit %s", pid, strerror(errno)); -+ SYSERROR("Failed wait shim-parent %d exit", pid); - ret = -1; - goto out; - } -@@ -1699,7 +1699,7 @@ int rt_isula_exec_resize(const char *id, const char *runtime, const rt_exec_resi - } - - if (kill(pid, SIGWINCH) < 0) { -- ERROR("can't kill process (pid=%d) with signal %u: %s", pid, SIGWINCH, strerror(errno)); -+ SYSERROR("can't kill process (pid=%d) with signal %u", pid, SIGWINCH); - ret = -1; - goto out; - } -@@ -1727,7 +1727,7 @@ int rt_isula_kill(const char *id, const char *runtime, const rt_kill_params_t *p - } else { - int ret = kill(params->pid, (int)params->signal); - if (ret < 0) { -- ERROR("Can not kill process (pid=%d) with signal %u: %s", params->pid, params->signal, strerror(errno)); -+ SYSERROR("Can not kill process (pid=%d) with signal %u", params->pid, params->signal); - return -1; - } - } -diff --git a/src/daemon/modules/runtime/shim/shim_rt_monitor.cc b/src/daemon/modules/runtime/shim/shim_rt_monitor.cc -index 3b6274ea..f5178c26 100644 ---- a/src/daemon/modules/runtime/shim/shim_rt_monitor.cc -+++ b/src/daemon/modules/runtime/shim/shim_rt_monitor.cc -@@ -114,7 +114,7 @@ private: - - exit_fifo_fd = util_open(exit_fifo.c_str(), O_WRONLY | O_NONBLOCK, 0); - if (exit_fifo_fd < 0) { -- ERROR("Failed to open exit FIFO %s: %s.", exit_fifo.c_str(), strerror(errno)); -+ SYSERROR("Failed to open exit FIFO %s.", exit_fifo.c_str()); - return -1; - } - -diff --git a/src/daemon/modules/runtime/shim/shim_rt_ops.c b/src/daemon/modules/runtime/shim/shim_rt_ops.c -index 73d5de1c..d348dfe1 100644 ---- a/src/daemon/modules/runtime/shim/shim_rt_ops.c -+++ b/src/daemon/modules/runtime/shim/shim_rt_ops.c -@@ -210,7 +210,7 @@ static int shim_bin_v2_create(const char *runtime, const char *id, const char *w - - pid = fork(); - if (pid < 0) { -- ERROR("Failed to fork for shim parent %s", strerror(errno)); -+ SYSERROR("Failed to fork for shim parent"); - ret = -1; - goto out; - } -@@ -264,7 +264,7 @@ static int shim_bin_v2_create(const char *runtime, const char *id, const char *w - - status = util_wait_for_pid_status(pid); - if (status < 0) { -- ERROR("failed to wait shim-parent %d exit %s", pid, strerror(errno)); -+ SYSERROR("failed to wait shim-parent %d exit", pid); - ret = -1; - goto out; - } -diff --git a/src/daemon/modules/service/io_handler.c b/src/daemon/modules/service/io_handler.c -index 0cb9fda9..474fa650 100644 ---- a/src/daemon/modules/service/io_handler.c -+++ b/src/daemon/modules/service/io_handler.c -@@ -330,7 +330,7 @@ static ssize_t write_to_fifo(void *context, const void *data, size_t len) - fd = *(int *)context; - ret = util_write_nointr_in_total(fd, data, len); - if ((ret <= 0) || (ret != (ssize_t)len)) { -- ERROR("Failed to write %d: %s", fd, strerror(errno)); -+ SYSERROR("Failed to write %d", fd); - return -1; - } - return ret; -@@ -341,7 +341,7 @@ static ssize_t write_to_fd(void *context, const void *data, size_t len) - ssize_t ret; - ret = util_write_nointr(*(int *)context, data, len); - if (ret < 0 || (size_t)ret != len) { -- ERROR("Failed to write: %s", strerror(errno)); -+ SYSERROR("Failed to write"); - return -1; - } - return ret; -diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c -index c4ee0223..483670de 100644 ---- a/src/daemon/modules/service/service_container.c -+++ b/src/daemon/modules/service/service_container.c -@@ -575,7 +575,7 @@ static int umount_dev_tmpfs_for_system_container(const container_t *cont) - return -1; - } - if (umount(rootfs_dev_path) < 0 && errno != ENOENT) { -- WARN("Failed to umount dev tmpfs: %s, error: %s", rootfs_dev_path, strerror(errno)); -+ SYSWARN("Failed to umount dev tmpfs: %s", rootfs_dev_path); - } - } - return 0; -@@ -595,7 +595,7 @@ static int valid_mount_point(container_config_v2_common_config_mount_points_elem - } - - if (lstat(mp->source, &st) != 0) { -- ERROR("lstat %s: %s", mp->source, strerror(errno)); -+ SYSERROR("lstat %s failed", mp->source); - isulad_set_error_message("lstat %s: %s", mp->source, strerror(errno)); - return -1; - } -@@ -679,8 +679,7 @@ static void wait_exit_fifo(const char *id, const int exit_fifo_fd) - descr.timeout_cbdata = container_id; - nret = epoll_loop(&descr, WAIT_TIMEOUT); - if (nret != 0) { -- ERROR("Wait container %s 's monitor on fd %d error: %s", id, exit_fifo_fd, -- errno ? strerror(errno) : ""); -+ SYSERROR("Wait container %s 's monitor on fd %d failed", id, exit_fifo_fd); - goto out; - } - -@@ -1266,7 +1265,7 @@ static int do_delete_container(container_t *cont) - } - ret = util_recursive_rmdir(container_state, 0); - if (ret != 0) { -- ERROR("Failed to delete container's state directory %s: %s", container_state, strerror(errno)); -+ SYSERROR("Failed to delete container's state directory %s", container_state); - ret = -1; - goto out; - } -@@ -1399,7 +1398,7 @@ static int send_signal_to_process(pid_t pid, unsigned long long start_time, uint - } else { - int ret = kill(pid, (int)signal); - if (ret < 0) { -- ERROR("Can not kill process (pid=%d) with signal %u: %s", pid, signal, strerror(errno)); -+ SYSERROR("Can not kill process (pid=%d) with signal %u", pid, signal); - return -1; - } - } -@@ -2157,7 +2156,7 @@ static void exec_container_end(container_exec_response *response, const containe - } - if (sync_fd >= 0 && cc != ISULAD_SUCCESS) { - if (eventfd_write(sync_fd, 1) < 0) { -- ERROR("Failed to write eventfd: %s", strerror(errno)); -+ SYSERROR("Failed to write eventfd"); - } - } - if (thread_id > 0) { -diff --git a/src/daemon/modules/service/service_network.c b/src/daemon/modules/service/service_network.c -index c617852f..5502bcbd 100644 ---- a/src/daemon/modules/service/service_network.c -+++ b/src/daemon/modules/service/service_network.c -@@ -961,7 +961,7 @@ static int do_update_internal_file(const char *id, const char *file_path, - WARN("failed to write file %s in readonly file system", file_path); - ret = 0; - } else { -- ERROR("Failed to write file %s: %s", file_path, strerror(errno)); -+ SYSERROR("Failed to write file %s", file_path); - isulad_set_error_message("Failed to write file %s: %s", file_path, strerror(errno)); - ret = -1; - } -@@ -1179,7 +1179,7 @@ static int do_drop_internal_file(const char *id, const char *file_path, const de - WARN("failed to open file %s in readonly file system", file_path); - goto out; - } else { -- ERROR("Failed to open %s: %s", file_path, strerror(errno)); -+ SYSERROR("Failed to open %s", file_path); - isulad_set_error_message("Failed to open %s: %s", file_path, strerror(errno)); - ret = -1; - goto out; -@@ -1212,7 +1212,7 @@ static int do_drop_internal_file(const char *id, const char *file_path, const de - - ret = util_write_file(file_path, str, strlen(str), NETWORK_MOUNT_FILE_MODE); - if (ret != 0) { -- ERROR("Failed to write file %s: %s", file_path, strerror(errno)); -+ SYSERROR("Failed to write file %s", file_path); - isulad_set_error_message("Failed to write file %s: %s", file_path, strerror(errno)); - goto out; - } -diff --git a/src/daemon/modules/spec/specs.c b/src/daemon/modules/spec/specs.c -index d5bb68f4..3454a8c6 100644 ---- a/src/daemon/modules/spec/specs.c -+++ b/src/daemon/modules/spec/specs.c -@@ -2405,7 +2405,7 @@ int save_oci_config(const char *id, const char *rootpath, const oci_runtime_spec - - if (util_atomic_write_file(file_path, json_container, strlen(json_container), DEFAULT_SECURE_FILE_MODE, false) != - 0) { -- ERROR("write json container failed: %s", strerror(errno)); -+ SYSERROR("write json container failed"); - ret = -1; - goto out_free; - } -diff --git a/src/daemon/modules/spec/specs_mount.c b/src/daemon/modules/spec/specs_mount.c -index dc1ca1f1..ade22a02 100644 ---- a/src/daemon/modules/spec/specs_mount.c -+++ b/src/daemon/modules/spec/specs_mount.c -@@ -1430,7 +1430,7 @@ static int copy_data_to_volume(char *base_fs, defs_mount *mnt) - if (errno == ENOENT) { - goto out; - } -- ERROR("stat for copy data to volume failed: %s", strerror(errno)); -+ SYSERROR("stat for copy data to volume failed"); - ret = -1; - goto out; - } -diff --git a/src/daemon/modules/spec/verify.c b/src/daemon/modules/spec/verify.c -index e384b8cc..6180b887 100644 ---- a/src/daemon/modules/spec/verify.c -+++ b/src/daemon/modules/spec/verify.c -@@ -248,7 +248,7 @@ static bool check_kernel_version_ge4() - - ret = uname(&uts); - if (ret < 0) { -- WARN("Can not get kernel version: %s", strerror(errno)); -+ SYSWARN("Can not get kernel version"); - } else { - /* greater or equal than 4.0.0, check first part is enough */ - return atoi(uts.release) >= 4; -@@ -1332,7 +1332,7 @@ static int get_source_mount(const char *src, char **srcpath, char **optional) - char *dname = NULL; - - if (realpath(src, real_path) == NULL) { -- ERROR("Failed to get real path for %s : %s", src, strerror(errno)); -+ SYSERROR("Failed to get real path for %s", src); - return -1; - } - -@@ -1535,7 +1535,7 @@ static int verify_custom_mount(defs_mount **mounts, size_t len) - #else - if (!util_file_exists(iter->source) && util_mkdir_p(iter->source, mode)) { - #endif -- ERROR("Failed to create directory '%s': %s", iter->source, strerror(errno)); -+ SYSERROR("Failed to create directory '%s'", iter->source); - isulad_try_set_error_message("Failed to create directory '%s': %s", iter->source, strerror(errno)); - ret = -1; - goto out; -diff --git a/src/daemon/modules/volume/local.c b/src/daemon/modules/volume/local.c -index 994ed96a..7f95757d 100644 ---- a/src/daemon/modules/volume/local.c -+++ b/src/daemon/modules/volume/local.c -@@ -165,7 +165,7 @@ static int init_volume_root_dir(struct volumes_info *vols_info, const char *root - - ret = util_mkdir_p(root_dir, LOCAL_VOLUME_ROOT_DIR_MODE); - if (ret != 0) { -- ERROR("create volume directory %s failed: %s", root_dir, strerror(errno)); -+ SYSERROR("create volume directory %s failed", root_dir); - goto out; - } - -@@ -229,7 +229,7 @@ static char *build_and_valid_data_dir(const char *root_dir, const char *name) - } - - if (lstat(tmp_dir, &st) != 0) { -- ERROR("lstat %s: %s", tmp_dir, strerror(errno)); -+ SYSERROR("lstat %s failed", tmp_dir); - ret = -1; - goto out; - } -@@ -388,7 +388,7 @@ static struct volume *volume_create_nolock(char *name) - - ret = util_mkdir_p(v->path, LOCAL_VOLUME_DIR_MODE); - if (ret != 0) { -- ERROR("failed to create %s for volume %s: %s", v->path, v->name, strerror(errno)); -+ SYSERROR("failed to create %s for volume %s", v->path, v->name); - goto out; - } - -@@ -556,14 +556,14 @@ static int remove_volume_dir(char *path) - // remain untouched if we remove the data directory failed. - ret = util_recursive_rmdir(path, 0); - if (ret != 0) { -- ERROR("failed to remove volume data dir %s: %s", path, strerror(errno)); -+ SYSERROR("failed to remove volume data dir %s", path); - isulad_try_set_error_message("failed to remove volume data dir %s: %s", path, strerror(errno)); - goto out; - } - - ret = util_recursive_rmdir(vol_dir, 0); - if (ret != 0) { -- ERROR("failed to remove volume dir %s: %s", vol_dir, strerror(errno)); -+ SYSERROR("failed to remove volume dir %s", vol_dir); - isulad_try_set_error_message("failed to remove volume dir %s: %s", vol_dir, strerror(errno)); - goto out; - } -@@ -586,7 +586,7 @@ static int volume_remove_nolock(char *name) - } - - if (remove_volume_dir(v->path) != 0) { -- ERROR("failed to remove volume dir %s: %s", v->path, strerror(errno)); -+ SYSERROR("failed to remove volume dir %s", v->path); - return -1; - } - -diff --git a/src/daemon/sandbox/sandbox.cc b/src/daemon/sandbox/sandbox.cc -index 94c2684a..d3fc7eea 100644 ---- a/src/daemon/sandbox/sandbox.cc -+++ b/src/daemon/sandbox/sandbox.cc -@@ -833,7 +833,7 @@ auto Sandbox::SaveNetworkSetting(Errors &error) -> bool - nret = util_atomic_write_file(path.c_str(), m_networkSettings.c_str(), m_networkSettings.length(), CONFIG_FILE_MODE, - false); - if (nret != 0) { -- ERROR("Failed to write file %s: %s", path.c_str(), strerror(errno)); -+ SYSERROR("Failed to write file %s", path.c_str()); - error.Errorf("Failed to write file %s: %s", path.c_str(), strerror(errno)); - return false; - } -diff --git a/src/utils/console/console.c b/src/utils/console/console.c -index a160d685..568832e8 100644 ---- a/src/utils/console/console.c -+++ b/src/utils/console/console.c -@@ -36,7 +36,7 @@ static ssize_t fd_write_function(void *context, const void *data, size_t len) - - ret = util_write_nointr_in_total(*(int *)context, data, len); - if ((ret <= 0) || (ret != (ssize_t)len)) { -- ERROR("Failed to write: %s", strerror(errno)); -+ SYSERROR("Failed to write"); - return -1; - } - return ret; -@@ -100,7 +100,7 @@ static int console_writer_write_data(const struct io_write_wrapper *writer, cons - } - ret = writer->write_func(writer->context, buf, (size_t)len); - if (ret <= 0 || ret != len) { -- ERROR("Failed to write, type: %d, expect: %zd, wrote: %zd, error: %s!", writer->io_type, len, ret, strerror(errno)); -+ SYSERROR("Failed to write, type: %d, expect: %zd, wrote: %zd!", writer->io_type, len, ret); - return -1; - } - return 0; -@@ -187,7 +187,7 @@ int console_fifo_name(const char *rundir, const char *subpath, const char *stdfl - if (do_mkdirp) { - ret = util_mkdir_p(fifo_path, CONSOLE_FIFO_DIRECTORY_MODE); - if (ret < 0) { -- COMMAND_ERROR("Unable to create console fifo directory %s: %s.", fifo_path, strerror(errno)); -+ CMD_SYSERROR("Unable to create console fifo directory %s.", fifo_path); - goto out; - } - } -@@ -215,7 +215,7 @@ int console_fifo_create(const char *fifo_path) - - ret = mknod(fifo_path, S_IFIFO | S_IRUSR | S_IWUSR, (dev_t)0); - if (ret < 0 && errno != EEXIST) { -- ERROR("Failed to mknod monitor fifo %s: %s.", fifo_path, strerror(errno)); -+ SYSERROR("Failed to mknod monitor fifo %s.", fifo_path); - return -1; - } - -@@ -265,7 +265,7 @@ int console_fifo_open(const char *fifo_path, int *fdout, int flags) - - fd = util_open(fifo_path, flags, (mode_t)0); - if (fd < 0) { -- ERROR("Failed to open fifo %s to send message: %s.", fifo_path, strerror(errno)); -+ SYSERROR("Failed to open fifo %s to send message.", fifo_path); - return -1; - } - -@@ -281,7 +281,7 @@ int console_fifo_open_withlock(const char *fifo_path, int *fdout, int flags) - - fd = util_open(fifo_path, flags, 0); - if (fd < 0) { -- WARN("Failed to open fifo %s to send message: %s.", fifo_path, strerror(errno)); -+ SYSWARN("Failed to open fifo %s to send message.", fifo_path); - return -1; - } - -@@ -411,12 +411,12 @@ int console_loop_with_std_fd(int stdinfd, int stdoutfd, int stderrfd, int fifoin - if (tty) { - ret = epoll_loop_add_handler(&descr, ts.stdin_reader, console_cb_tty_stdin_with_escape, &ts); - if (ret) { -- INFO("Add handler for stdinfd faied. with error %s", strerror(errno)); -+ SYSINFO("Add handler for stdinfd faied."); - } - } else { - ret = epoll_loop_add_handler(&descr, ts.stdin_reader, console_cb_stdio_copy, &ts); - if (ret) { -- INFO("Add handler for stdinfd faied. with error %s", strerror(errno)); -+ SYSINFO("Add handler for stdinfd faied."); - } - } - } -diff --git a/src/utils/cutils/network_namespace.c b/src/utils/cutils/network_namespace.c -index 212f0bd7..0e225d9b 100644 ---- a/src/utils/cutils/network_namespace.c -+++ b/src/utils/cutils/network_namespace.c -@@ -175,7 +175,7 @@ int remove_network_namespace(const char *netns_path) - } - - if (umount_network_namespace(netns_path) != 0) { -- ERROR("Failed to umount directory %s:%s", netns_path, strerror(errno)); -+ SYSERROR("Failed to umount directory %s", netns_path); - return -1; - } - -diff --git a/src/utils/cutils/path.c b/src/utils/cutils/path.c -index d586e981..51d73445 100644 ---- a/src/utils/cutils/path.c -+++ b/src/utils/cutils/path.c -@@ -698,7 +698,7 @@ static char *find_realpath(const char *path) - - ret = (int)readlink(iter_path, target, PATH_MAX - 1); - if (ret < 0) { -- ERROR("Failed to read link of %s: %s", iter_path, strerror(errno)); -+ SYSERROR("Failed to read link of %s.", iter_path); - goto out; - } - // is not absolutely path -@@ -745,7 +745,7 @@ int util_realpath_in_scope(const char *rootfs, const char *path, char **real_pat - - int nret = snprintf(full_path, sizeof(full_path), "%s%s", rootfs, path); - if (nret < 0 || (size_t)nret >= sizeof(full_path)) { -- ERROR("sprintf error: %s", strerror(errno)); -+ SYSERROR("sprintf failed"); - ret = -1; - goto out; - } -diff --git a/src/utils/cutils/utils.c b/src/utils/cutils/utils.c -index ecd530bc..d946694c 100644 ---- a/src/utils/cutils/utils.c -+++ b/src/utils/cutils/utils.c -@@ -480,7 +480,7 @@ proc_t *util_stat2proc(const char *s, size_t len) - num = sscanf(s, "%d (%15c", &p->pid, p->cmd); - #endif - if (num != 2) { -- ERROR("Call sscanf error: %s", errno ? strerror(errno) : ""); -+ SYSERROR("Call sscanf error"); - free(p); - return NULL; - } -@@ -495,7 +495,7 @@ proc_t *util_stat2proc(const char *s, size_t len) - &p->maj_flt, &p->cmaj_flt, &p->utime, &p->stime, &p->cutime, &p->cstime, &p->priority, &p->nice, - &p->timeout, &p->it_real_value, &p->start_time); - if (num != 20) { // max arg to read -- ERROR("Call sscanf error: %s", errno ? strerror(errno) : ""); -+ SYSERROR("Call sscanf error"); - free(p); - return NULL; - } -@@ -1159,7 +1159,7 @@ static int set_echo_back(bool echo_back) - struct termios old, new; - - if (tcgetattr(STDIN_FILENO, &old)) { -- ERROR("get tc attribute failed: %s\n", strerror(errno)); -+ SYSERROR("get tc attribute failed"); - return -1; - } - -@@ -1172,7 +1172,7 @@ static int set_echo_back(bool echo_back) - } - - if (tcsetattr(STDIN_FILENO, TCSANOW, &new)) { -- ERROR("set tc attribute failed: %s\n", strerror(errno)); -+ SYSERROR("set tc attribute failed"); - return -1; - } - -@@ -1498,7 +1498,7 @@ int util_normalized_host_os_arch(char **host_os, char **host_arch, char **host_v - } - - if (uname(&uts) < 0) { -- ERROR("Failed to read host arch and os: %s", strerror(errno)); -+ SYSERROR("Failed to read host arch and os"); - return -1; - } - -@@ -1655,7 +1655,7 @@ int util_create_shm_path(const char *spath, const int64_t shm_size) - - nret = mount("shm", spath, "tmpfs", MS_NOEXEC | MS_NODEV | MS_NOSUID, shmproperty); - if (nret < 0) { -- ERROR("Mount %s failed: %s", spath, strerror(errno)); -+ SYSERROR("Mount %s failed", spath); - return -1; - } - -diff --git a/src/utils/cutils/utils_aes.c b/src/utils/cutils/utils_aes.c -index 055a9538..2eecf2d6 100644 ---- a/src/utils/cutils/utils_aes.c -+++ b/src/utils/cutils/utils_aes.c -@@ -72,13 +72,13 @@ int util_aes_key(const char *key_file, bool create, unsigned char *aeskey) - } else { - fd = open(key_file, O_RDONLY); - if (fd < 0) { -- ERROR("open key file %s failed: %s", key_file, strerror(errno)); -+ SYSERROR("open key file %s failed", key_file); - ret = -1; - goto out; - } - - if (util_read_nointr(fd, aeskey, AES_256_CFB_KEY_LEN) != AES_256_CFB_KEY_LEN) { -- ERROR("read key file %s failed: %s", key_file, strerror(errno)); -+ SYSERROR("read key file %s failed", key_file); - ret = -1; - goto out; - } -@@ -163,14 +163,14 @@ int util_aes_encode(unsigned char *aeskey, unsigned char *bytes, size_t len, uns - evp_ret = EVP_EncryptInit(ctx, cipher, aeskey, iv); - #endif - if (evp_ret != 1) { -- ERROR("init evp decrypt failed, result %d: %s", evp_ret, strerror(errno)); -+ SYSERROR("init evp decrypt failed, result %d", evp_ret); - ret = -1; - goto out; - } - - evp_ret = EVP_EncryptUpdate(ctx, (*out) + AES_256_CFB_IV_LEN, &tmp_out_len, bytes, len); - if (evp_ret != 1) { -- ERROR("evp encrypt update failed, result %d: %s", evp_ret, strerror(errno)); -+ SYSERROR("evp encrypt update failed, result %d", evp_ret); - ret = -1; - goto out; - } -@@ -182,7 +182,7 @@ int util_aes_encode(unsigned char *aeskey, unsigned char *bytes, size_t len, uns - evp_ret = EVP_EncryptFinal(ctx, (*out) + AES_256_CFB_IV_LEN + tmp_out_len, &tmp_out_len); - #endif - if (evp_ret != 1) { -- ERROR("evp encrypt final failed, result %d: %s", evp_ret, strerror(errno)); -+ SYSERROR("evp encrypt final failed, result %d", evp_ret); - ret = -1; - goto out; - } -@@ -256,7 +256,7 @@ int util_aes_decode(unsigned char *aeskey, unsigned char *bytes, size_t len, uns - evp_ret = EVP_DecryptInit(ctx, cipher, aeskey, iv); - #endif - if (evp_ret != 1) { -- ERROR("init evp decrypt failed, result %d: %s", evp_ret, strerror(errno)); -+ SYSERROR("init evp decrypt failed, result %d", evp_ret); - ret = -1; - goto out; - } -@@ -264,7 +264,7 @@ int util_aes_decode(unsigned char *aeskey, unsigned char *bytes, size_t len, uns - expected_size = len - AES_256_CFB_IV_LEN; - evp_ret = EVP_DecryptUpdate(ctx, *out, &tmp_out_len, bytes + AES_256_CFB_IV_LEN, expected_size); - if (evp_ret != 1) { -- ERROR("evp decrypt update failed, result %d: %s", evp_ret, strerror(errno)); -+ SYSERROR("evp decrypt update failed, result %d", evp_ret); - ret = -1; - goto out; - } -@@ -276,7 +276,7 @@ int util_aes_decode(unsigned char *aeskey, unsigned char *bytes, size_t len, uns - evp_ret = EVP_DecryptFinal(ctx, (*out) + tmp_out_len, &tmp_out_len); - #endif - if (evp_ret != 1) { -- ERROR("evp decrypt final failed, result %d: %s", evp_ret, strerror(errno)); -+ SYSERROR("evp decrypt final failed, result %d", evp_ret); - ret = -1; - goto out; - } -diff --git a/src/utils/cutils/utils_base64.c b/src/utils/cutils/utils_base64.c -index 3871140e..78e5ae0d 100644 ---- a/src/utils/cutils/utils_base64.c -+++ b/src/utils/cutils/utils_base64.c -@@ -47,7 +47,7 @@ int util_base64_encode(unsigned char *bytes, size_t len, char **out) - } - - if (EVP_EncodeBlock((uint8_t *)(*out), (const uint8_t *)bytes, len) == 0) { -- ERROR("Encode base64 failed: %s", strerror(errno)); -+ SYSERROR("Encode base64 failed"); - free(encoded); - return -1; - } -@@ -78,7 +78,7 @@ int util_base64_decode(const char *input, size_t len, unsigned char **out, size_ - } - - if (EVP_DecodeBase64((uint8_t *)decoded, &decoded_size, decoded_size, (const uint8_t *)input, len) == 0) { -- ERROR("Decode base64 failed: %s", strerror(errno)); -+ SYSERROR("Decode base64 failed"); - free(decoded); - return -1; - } -diff --git a/src/utils/cutils/utils_file.c b/src/utils/cutils/utils_file.c -index 8480dd94..bc22ee95 100644 ---- a/src/utils/cutils/utils_file.c -+++ b/src/utils/cutils/utils_file.c -@@ -231,7 +231,7 @@ int util_mkdir_p_userns_remap(const char *dir, mode_t mode, const char *userns_r - if (*cur_dir) { - ret = mkdir(cur_dir, mode); - if (ret != 0 && (errno != EEXIST || !util_dir_exists(cur_dir))) { -- ERROR("failed to create directory '%s': %s", cur_dir, strerror(errno)); -+ SYSERROR("failed to create directory '%s'", cur_dir); - goto err_out; - } - if (ret == 0 && userns_remap != NULL && chown(cur_dir, host_uid, host_gid) != 0) { -@@ -318,14 +318,14 @@ bool util_force_remove_file(const char *fname, int *saved_errno) - if (saved_errno != NULL && *saved_errno == 0) { - *saved_errno = errno; - } -- WARN("Failed to delete %s: %s", fname, strerror(errno)); -+ SYSWARN("Failed to delete %s", fname); - - if (mark_file_mutable(fname) != 0) { - WARN("Failed to mark file mutable"); - } - - if (unlink(fname) != 0) { -- ERROR("Failed to delete \"%s\": %s", fname, strerror(errno)); -+ SYSERROR("Failed to delete \"%s\"", fname); - return false; - } - -@@ -711,7 +711,7 @@ int util_gzip_compressed(const char *filename, bool *gzip) - - f = fopen(filename, "rb"); - if (f == NULL) { -- ERROR("Failed to open file %s: %s", filename, strerror(errno)); -+ SYSERROR("Failed to open file %s", filename); - return -1; - } - -@@ -887,7 +887,7 @@ char *util_read_text_file(const char *path) - - readlen = fread(buf, 1, (size_t)len, filp); - if (((readlen < (size_t)len) && (!feof(filp))) || (readlen > (size_t)len)) { -- ERROR("Failed to read file %s, error: %s\n", path, strerror(errno)); -+ SYSERROR("Failed to read file %s.", path); - UTIL_FREE_AND_SET_NULL(buf); - goto err_out; - } -@@ -913,7 +913,7 @@ int64_t util_file_size(const char *filename) - } - - if (stat(filename, &st)) { -- WARN("stat file %s failed: %s", filename, strerror(errno)); -+ SYSWARN("stat file %s failed", filename); - return -1; - } - -@@ -932,7 +932,7 @@ int util_scan_subdirs(const char *directory, subdir_callback_t cb, void *context - - dir = opendir(directory); - if (dir == NULL) { -- ERROR("Failed to open directory: %s error:%s", directory, strerror(errno)); -+ SYSERROR("Failed to open directory: %s", directory); - return -1; - } - -@@ -967,7 +967,7 @@ int util_list_all_subdir(const char *directory, char ***out) - - dir = opendir(directory); - if (dir == NULL) { -- ERROR("Failed to open directory: %s error:%s", directory, strerror(errno)); -+ SYSERROR("Failed to open directory: %s", directory); - return -1; - } - direntp = readdir(dir); -@@ -1115,14 +1115,14 @@ int util_write_file(const char *fname, const char *content, size_t content_len, - } - dst_fd = util_open(fname, O_WRONLY | O_CREAT | O_TRUNC, mode); - if (dst_fd < 0) { -- ERROR("Creat file: %s, failed: %s", fname, strerror(errno)); -+ SYSERROR("Creat file: %s, failed", fname); - ret = -1; - goto free_out; - } - len = util_write_nointr(dst_fd, content, content_len); - if (len < 0 || ((size_t)len) != content_len) { - ret = -1; -- ERROR("Write file failed: %s", strerror(errno)); -+ SYSERROR("Write file failed"); - goto free_out; - } - free_out: -@@ -1141,7 +1141,7 @@ char *verify_file_and_get_real_path(const char *file) - return NULL; - } - if (realpath(file, resolved_path) == NULL) { -- ERROR("Failed to get realpath: %s , %s", resolved_path, strerror(errno)); -+ SYSERROR("Failed to get realpath: %s.", resolved_path); - return NULL; - } - -@@ -1171,33 +1171,33 @@ int util_copy_file(const char *src_file, const char *dst_file, mode_t mode) - } - nret = realpath(src_file, real_src_file); - if (nret == NULL) { -- ERROR("real path: %s, return: %s", src_file, strerror(errno)); -+ SYSERROR("real path: %s failed.", src_file); - ret = -1; - return ret; - } - src_fd = util_open(real_src_file, O_RDONLY, CONFIG_FILE_MODE); - if (src_fd < 0) { -- ERROR("Open src file: %s, failed: %s", real_src_file, strerror(errno)); -+ SYSERROR("Open src file: %s, failed", real_src_file); - ret = -1; - goto free_out; - } - dst_fd = util_open(dst_file, O_WRONLY | O_CREAT | O_TRUNC, mode); - if (dst_fd < 0) { -- ERROR("Creat file: %s, failed: %s", dst_file, strerror(errno)); -+ SYSERROR("Creat file: %s, failed", dst_file); - ret = -1; - goto free_out; - } - while (true) { - ssize_t len = util_read_nointr(src_fd, buf, BUFSIZE); - if (len < 0) { -- ERROR("Read src file failed: %s", strerror(errno)); -+ SYSERROR("Read src file failed"); - ret = -1; - goto free_out; - } else if (len == 0) { - break; - } - if (util_write_nointr(dst_fd, buf, (size_t)len) != len) { -- ERROR("Write file failed: %s", strerror(errno)); -+ SYSERROR("Write file failed"); - ret = -1; - goto free_out; - } -@@ -1489,7 +1489,7 @@ static int do_atomic_write_file(const char *fname, const char *content, size_t c - - dst_fd = util_open(fname, O_WRONLY | O_CREAT | O_TRUNC, mode); - if (dst_fd < 0) { -- ERROR("Creat file: %s, failed: %s", fname, strerror(errno)); -+ SYSERROR("Creat file: %s, failed", fname); - ret = -1; - goto free_out; - } -@@ -1497,7 +1497,7 @@ static int do_atomic_write_file(const char *fname, const char *content, size_t c - len = util_write_nointr(dst_fd, content, content_len); - if (len < 0 || ((size_t)len) != content_len) { - ret = -1; -- ERROR("Write file failed: %s", strerror(errno)); -+ SYSERROR("Write file failed"); - goto free_out; - } - -@@ -1673,7 +1673,7 @@ int util_proc_file_line_by_line(FILE *fp, read_line_callback_t cb, void *context - // end of file - if (errno != 0) { - ret = -1; -- ERROR("read line failed: %s", strerror(errno)); -+ SYSERROR("read line failed"); - } - goto out; - } -@@ -1761,7 +1761,7 @@ static int copy_own(char *copy_dst, struct stat *src_stat) - struct stat dst_stat = { 0 }; - - if (lstat(copy_dst, &dst_stat) != 0) { -- ERROR("lstat %s failed: %s", copy_dst, strerror(errno)); -+ SYSERROR("lstat %s failed", copy_dst); - return -1; - } - -@@ -1770,7 +1770,7 @@ static int copy_own(char *copy_dst, struct stat *src_stat) - return 0; - } - -- ERROR("lchown %s failed: %s", copy_dst, strerror(errno)); -+ SYSERROR("lchown %s failed", copy_dst); - - return ret; - } -@@ -1782,7 +1782,7 @@ static int copy_mode(char *copy_dst, struct stat *src_stat) - } - - if (chmod(copy_dst, src_stat->st_mode) != 0) { -- ERROR("chmod %s failed: %s", copy_dst, strerror(errno)); -+ SYSERROR("chmod %s failed", copy_dst); - return -1; - } - -@@ -1795,7 +1795,7 @@ static int copy_time(char *copy_dst, struct stat *src_stat) - - // copy_dst is absolute path, so first argment is ignored. - if (utimensat(0, copy_dst, tm, AT_SYMLINK_NOFOLLOW) != 0) { -- ERROR("failed to set time of %s: %s", copy_dst, strerror(errno)); -+ SYSERROR("failed to set time of %s", copy_dst); - return -1; - } - -@@ -1806,10 +1806,10 @@ static int set_one_xattr(char *copy_dst, char *key, char *value, ssize_t size) - { - if (lsetxattr(copy_dst, key, value, size, 0) != 0) { - if (errno == ENOTSUP) { -- DEBUG("ignore copy xattr %s of %s: %s", key, copy_dst, strerror(errno)); -+ SYSDEBUG("ignore copy xattr %s of %s", key, copy_dst); - return 0; - } -- ERROR("failed to set xattr %s of %s: %s", key, copy_dst, strerror(errno)); -+ SYSERROR("failed to set xattr %s of %s", key, copy_dst); - return -1; - } - -@@ -1831,10 +1831,10 @@ static int do_copy_xattrs(char *copy_dst, char *copy_src, char *xattrs, ssize_t - size = lgetxattr(copy_src, key, NULL, 0); - if (size < 0) { - if (errno == ENOTSUP) { -- DEBUG("ignore copy xattr %s of %s: %s", key, copy_src, strerror(errno)); -+ SYSDEBUG("ignore copy xattr %s of %s", key, copy_src); - continue; - } -- ERROR("failed to get xattr %s of %s: %s", key, copy_src, strerror(errno)); -+ SYSERROR("failed to get xattr %s of %s", key, copy_src); - ret = -1; - goto out; - } -@@ -1855,10 +1855,10 @@ static int do_copy_xattrs(char *copy_dst, char *copy_src, char *xattrs, ssize_t - - if (lgetxattr(copy_src, key, value, size) < 0) { - if (errno == ENOTSUP) { -- DEBUG("ignore copy xattr %s of %s: %s", key, copy_src, strerror(errno)); -+ SYSDEBUG("ignore copy xattr %s of %s", key, copy_src); - continue; - } -- ERROR("failed to get xattr %s of %s: %s", key, copy_src, strerror(errno)); -+ SYSERROR("failed to get xattr %s of %s", key, copy_src); - ret = -1; - goto out; - } -@@ -1884,10 +1884,10 @@ static int copy_xattrs(char *copy_dst, char *copy_src) - xattrs_len = llistxattr(copy_src, NULL, 0); - if (xattrs_len < 0) { - if (errno == ENOTSUP) { -- DEBUG("ignore copy xattrs of %s: %s", copy_src, strerror(errno)); -+ SYSDEBUG("ignore copy xattrs of %s", copy_src); - return 0; - } -- ERROR("failed to get xattrs length of %s: %s", copy_src, strerror(errno)); -+ SYSERROR("failed to get xattrs length of %s", copy_src); - return -1; - } - -@@ -1904,10 +1904,10 @@ static int copy_xattrs(char *copy_dst, char *copy_src) - - if (llistxattr(copy_src, xattrs, xattrs_len) < 0) { - if (errno == ENOTSUP) { -- DEBUG("ignore copy xattrs of %s: %s", copy_src, strerror(errno)); -+ SYSDEBUG("ignore copy xattrs of %s", copy_src); - goto out; - } -- ERROR("failed to list xattrs of %s: %s", copy_src, strerror(errno)); -+ SYSERROR("failed to list xattrs of %s", copy_src); - ret = -1; - goto out; - } -@@ -1953,7 +1953,7 @@ static int copy_folder(char *copy_dst, char *copy_src) - struct stat dst_stat = { 0 }; - - if (lstat(copy_src, &src_stat) != 0) { -- ERROR("stat %s failed: %s", copy_src, strerror(errno)); -+ SYSERROR("stat %s failed", copy_src); - return -1; - } - if (!S_ISDIR(src_stat.st_mode)) { -@@ -1963,7 +1963,7 @@ static int copy_folder(char *copy_dst, char *copy_src) - - if (lstat(copy_dst, &dst_stat) != 0) { - if (mkdir(copy_dst, src_stat.st_mode) != 0) { -- ERROR("failed to mkdir %s: %s", copy_dst, strerror(errno)); -+ SYSERROR("failed to mkdir %s", copy_dst); - return -1; - } - } else if (!S_ISDIR(dst_stat.st_mode)) { -@@ -1971,7 +1971,7 @@ static int copy_folder(char *copy_dst, char *copy_src) - return -1; - } else { - if (chmod(copy_dst, src_stat.st_mode) != 0) { -- ERROR("failed to chmod %s: %s", copy_dst, strerror(errno)); -+ SYSERROR("failed to chmod %s.", copy_dst); - return -1; - } - } -@@ -1988,7 +1988,7 @@ static int copy_regular(char *copy_dst, char *copy_src, struct stat *src_stat, m - target = map_search(inodes, (void *)(&(src_stat->st_ino))); - if (target != NULL) { - if (link(target, copy_dst) != 0) { -- ERROR("failed to link %s to %s: %s", target, copy_dst, strerror(errno)); -+ SYSERROR("failed to link %s to %s", target, copy_dst); - return -1; - } - return 0; -@@ -2008,12 +2008,12 @@ static int copy_symbolic(char *copy_dst, char *copy_src) - char link[PATH_MAX] = { 0 }; - - if (readlink(copy_src, link, sizeof(link)) < 0) { -- ERROR("readlink of %s failed: %s", copy_src, strerror(errno)); -+ SYSERROR("readlink of %s failed", copy_src); - return -1; - } - - if (symlink(link, copy_dst) != 0) { -- ERROR("create symbolic %s failed: %s", copy_dst, strerror(errno)); -+ SYSERROR("create symbolic %s failed", copy_dst); - return -1; - } - -@@ -2023,7 +2023,7 @@ static int copy_symbolic(char *copy_dst, char *copy_src) - static int copy_device(char *copy_dst, char *copy_src, struct stat *src_stat) - { - if (mknod(copy_dst, src_stat->st_mode, src_stat->st_dev) != 0) { -- ERROR("mknod %s failed: %s", copy_dst, strerror(errno)); -+ SYSERROR("mknod %s failed", copy_dst); - return -1; - } - return 0; -diff --git a/src/utils/cutils/utils_fs.c b/src/utils/cutils/utils_fs.c -index ae71f3ba..63f6d2aa 100644 ---- a/src/utils/cutils/utils_fs.c -+++ b/src/utils/cutils/utils_fs.c -@@ -449,7 +449,7 @@ static int do_real_mount(const char *src, const char *dst, const char *mtype, un - if (!is_remount(src, mntflags) || (mntdata != NULL && strcmp(mntdata, "") != 0)) { - ret = mount(src, dst, mtype, oflags, mntdata); - if (ret < 0) { -- ERROR("Failed to mount from %s to %s:%s", src, dst, strerror(errno)); -+ SYSERROR("Failed to mount from %s to %s", src, dst); - goto out; - } - } -@@ -458,7 +458,7 @@ static int do_real_mount(const char *src, const char *dst, const char *mtype, un - // Change the propagation type. - ret = mount("", dst, "", mntflags & PROPAGATION_FLAGS, ""); - if (ret < 0) { -- ERROR("Failed to change the propagation type of dst %s:%s", dst, strerror(errno)); -+ SYSERROR("Failed to change the propagation type of dst %s.", dst); - goto out; - } - } -@@ -467,7 +467,7 @@ static int do_real_mount(const char *src, const char *dst, const char *mtype, un - // Remount the bind to apply read only. - ret = mount("", dst, "", oflags | MS_REMOUNT, ""); - if (ret < 0) { -- ERROR("Failed to remount the bind to apply read only of dst %s:%s", dst, strerror(errno)); -+ SYSERROR("Failed to remount the bind to apply read only of dst %s.", dst); - goto out; - } - } -@@ -576,7 +576,7 @@ static int util_mount_from_handler(const char *src, const char *dst, const char - - ret = mount(src, dst, mtype, mntflags, mntdata); - if (ret < 0) { -- ERROR("Failed to mount from %s to %s:%s", src, dst, strerror(errno)); -+ SYSERROR("Failed to mount from %s to %s.", src, dst); - goto out; - } - out: -@@ -596,7 +596,7 @@ int util_mount_from(const char *base, const char *src, const char *dst, const ch - - pid = fork(); - if (pid == (pid_t) -1) { -- ERROR("Failed to fork: %s", strerror(errno)); -+ SYSERROR("Failed to fork"); - goto cleanup; - } - -@@ -652,7 +652,7 @@ bool util_check_readonly_fs(const char *path) - continue; - } - -- ERROR("Stat fs failed: %s", strerror(errno)); -+ SYSERROR("Stat fs failed"); - return false; - } - -diff --git a/src/utils/cutils/utils_port.c b/src/utils/cutils/utils_port.c -index 583a3509..fbe143ae 100644 ---- a/src/utils/cutils/utils_port.c -+++ b/src/utils/cutils/utils_port.c -@@ -984,12 +984,12 @@ static int do_close(int sock) - if (close(sock) == 0) { - return 0; - } -- WARN("close socket failed: %s, wait to retry: %zu\n", strerror(errno), i); -+ SYSWARN("close socket failed, wait to retry: %zu\n", i); - // wait 100us to retry - usleep(10000); - } - -- ERROR("close socket failed: %s", strerror(errno)); -+ SYSERROR("close socket failed"); - return -1; - } - -@@ -1006,12 +1006,12 @@ bool util_check_port_free(int port) - - sock = socket(AF_INET, SOCK_STREAM, 0); - if (sock < 0) { -- ERROR("get socket failed: %s", strerror(errno)); -+ SYSERROR("get socket failed"); - return false; - } - - if (bind(sock, (struct sockaddr *)&s_addr, sizeof(struct sockaddr_in)) < 0) { -- ERROR("bind port failed: %s\n", strerror(errno)); -+ SYSERROR("bind port failed"); - ret = false; - } - -@@ -1036,19 +1036,19 @@ int util_get_random_port() - - sock = socket(AF_INET, SOCK_STREAM, 0); - if (sock < 0) { -- ERROR("get socket failed: %s", strerror(errno)); -+ SYSERROR("get socket failed"); - return -1; - } - - if (bind(sock, (struct sockaddr *)&s_addr, sizeof(struct sockaddr_in)) < 0) { -- ERROR("bind port failed: %s\n", strerror(errno)); -+ SYSERROR("bind port failed"); - ret = -1; - goto out; - } - - s_len = sizeof(struct sockaddr_in); - if (getsockname(sock, (struct sockaddr *)&s_addr, &s_len) == -1) { -- ERROR("getsockname failed: %s\n", strerror(errno)); -+ SYSERROR("getsockname failed"); - ret = -1; - goto out; - } -diff --git a/src/utils/cutils/utils_verify.c b/src/utils/cutils/utils_verify.c -index 67313d70..2f10f278 100644 ---- a/src/utils/cutils/utils_verify.c -+++ b/src/utils/cutils/utils_verify.c -@@ -474,7 +474,7 @@ bool util_valid_file(const char *path, uint32_t fmod) - - nret = stat(path, &s); - if (nret < 0) { -- ERROR("stat failed, error: %s", strerror(errno)); -+ SYSERROR("stat failed"); - return false; - } - -diff --git a/src/utils/http/http.c b/src/utils/http/http.c -index 5e46766d..8b74f773 100644 ---- a/src/utils/http/http.c -+++ b/src/utils/http/http.c -@@ -333,7 +333,7 @@ static int ensure_path_file(char **rpath, void *output, bool resume, FILE **page - if (resume) { - mode = "a"; - if (stat(*rpath, &st) < 0) { -- ERROR("stat %s failed: %s", *rpath, strerror(errno)); -+ SYSERROR("stat %s failed", *rpath); - return -1; - } - *fsize = (size_t)st.st_size; -diff --git a/src/utils/sha256/sha256.c b/src/utils/sha256/sha256.c -index d8e044b4..54cc2862 100644 ---- a/src/utils/sha256/sha256.c -+++ b/src/utils/sha256/sha256.c -@@ -124,7 +124,7 @@ char *sha256_digest_file(const char *filename, bool isgzip) - stream = (void *)fopen(filename, "r"); - } - if (stream == NULL) { -- ERROR("open file %s failed: %s", filename, strerror(errno)); -+ SYSERROR("open file %s failed", filename); - return NULL; - } - -@@ -259,13 +259,13 @@ static char *cal_file_digest(const char *filename) - - fp = util_fopen(filename, "r"); - if (fp == NULL) { -- ERROR("failed to open file %s: %s", filename, strerror(errno)); -+ SYSERROR("failed to open file %s.", filename); - return NULL; - } - - digest = sha256_digest_file(filename, false); - if (digest == NULL) { -- ERROR("calc digest for file %s failed: %s", filename, strerror(errno)); -+ SYSERROR("calc digest for file %s failed", filename); - goto err_out; - } - -@@ -299,7 +299,7 @@ static char *cal_gzip_digest(const char *filename) - - digest = sha256_digest_file(filename, true); - if (digest == NULL) { -- ERROR("calc digest for file %s failed: %s", filename, strerror(errno)); -+ SYSERROR("calc digest for file %s failed", filename); - goto err_out; - } - -diff --git a/src/utils/tar/isulad_tar.c b/src/utils/tar/isulad_tar.c -index 24269c70..7218cca8 100644 ---- a/src/utils/tar/isulad_tar.c -+++ b/src/utils/tar/isulad_tar.c -@@ -113,7 +113,7 @@ static int resolve_host_source_path(const char *path, bool follow_link, char **r - - if (follow_link) { - if (realpath(path, real_path) == NULL) { -- ERROR("Can not get real path of %s: %s", real_path, strerror(errno)); -+ SYSERROR("Can not get real path of %s.", real_path); - format_errorf(err, "Can not get real path of %s: %s", real_path, strerror(errno)); - return -1; - } -@@ -130,7 +130,7 @@ static int resolve_host_source_path(const char *path, bool follow_link, char **r - goto cleanup; - } - if (realpath(dirpath, real_path) == NULL) { -- ERROR("Can not get real path of %s: %s", dirpath, strerror(errno)); -+ SYSERROR("Can not get real path of %s.", dirpath); - format_errorf(err, "Can not get real path of %s: %s", dirpath, strerror(errno)); - goto cleanup; - } -@@ -191,7 +191,7 @@ struct archive_copy_info *copy_info_source_path(const char *path, bool follow_li - - nret = lstat(resolved_path, &st); - if (nret < 0) { -- ERROR("lstat %s: %s", resolved_path, strerror(errno)); -+ SYSERROR("lstat %s failed", resolved_path); - format_errorf(err, "lstat %s: %s", resolved_path, strerror(errno)); - goto cleanup; - } -@@ -225,7 +225,7 @@ static int copy_info_destination_path_ret(struct archive_copy_info *info, struct - - ret = (int)readlink(iter_path, target, PATH_MAX); - if (ret < 0) { -- ERROR("Failed to read link of %s: %s", iter_path, strerror(errno)); -+ SYSERROR("Failed to read link of %s", iter_path); - format_errorf(err, "Failed to read link of %s: %s", iter_path, strerror(errno)); - goto cleanup; - } -@@ -258,7 +258,7 @@ static int copy_info_destination_path_ret(struct archive_copy_info *info, struct - if (ret != 0) { - char *dst_parent = NULL; - if (errno != ENOENT) { -- ERROR("Can not stat %s: %s", iter_path, strerror(errno)); -+ SYSERROR("Can not stat %s", iter_path); - format_errorf(err, "Can not stat %s: %s", iter_path, strerror(errno)); - goto cleanup; - } -@@ -428,7 +428,7 @@ static int tar_resource_rebase(const char *path, const char *rebase, const char - char *srcbase = NULL; - - if (lstat(path, &st) < 0) { -- ERROR("lstat %s: %s", path, strerror(errno)); -+ SYSERROR("lstat %s failed", path); - format_errorf(err, "lstat %s: %s", path, strerror(errno)); - return -1; - } -diff --git a/src/utils/tar/util_archive.c b/src/utils/tar/util_archive.c -index d2fc5488..f34572ae 100644 ---- a/src/utils/tar/util_archive.c -+++ b/src/utils/tar/util_archive.c -@@ -343,7 +343,7 @@ static int copy_data(struct archive *ar, struct archive *aw) - } - r = archive_write_data_block(aw, buff, size, offset); - if (r < ARCHIVE_OK) { -- ERROR("tar extraction error: %s, %s", archive_error_string(aw), strerror(archive_errno(aw))); -+ ERROR("tar extraction error: %s", archive_error_string(aw)); - return r; - } - } -@@ -672,7 +672,7 @@ int archive_unpack_handler(const struct io_read_wrapper *content, const struct a - ret = archive_read_open(a, mydata, NULL, read_content, NULL); - if (ret != 0) { - ERROR("Failed to open archive: %s", archive_error_string(a)); -- fprintf(stderr, "Failed to open archive: %s", strerror(errno)); -+ fprintf(stderr, "Failed to open archive: %s", archive_error_string(a)); - ret = -1; - goto out; - } -@@ -688,9 +688,8 @@ int archive_unpack_handler(const struct io_read_wrapper *content, const struct a - } - - if (ret != ARCHIVE_OK) { -- ERROR("Warning reading tar header: %s, %s", archive_error_string(a), strerror(archive_errno(a))); -- (void)fprintf(stderr, "Warning reading tar header: %s, %s", archive_error_string(a), -- strerror(archive_errno(a))); -+ ERROR("Warning reading tar header: %s", archive_error_string(a)); -+ (void)fprintf(stderr, "Warning reading tar header: %s", archive_error_string(a)); - ret = -1; - goto out; - } -@@ -724,26 +723,23 @@ int archive_unpack_handler(const struct io_read_wrapper *content, const struct a - - ret = archive_write_header(ext, entry); - if (ret != ARCHIVE_OK) { -- ERROR("Fail to handle tar header: %s, %s", archive_error_string(ext), strerror(archive_errno(ext))); -- (void)fprintf(stderr, "Fail to handle tar header: %s, %s", archive_error_string(ext), -- strerror(archive_errno(ext))); -+ ERROR("Fail to handle tar header: %s", archive_error_string(ext)); -+ (void)fprintf(stderr, "Fail to handle tar header: %s", archive_error_string(ext)); - ret = -1; - goto out; - } else if (archive_entry_size(entry) > 0) { - ret = copy_data(a, ext); - if (ret != ARCHIVE_OK) { -- ERROR("Failed to do copy tar data: %s, %s", archive_error_string(ext), strerror(archive_errno(ext))); -- (void)fprintf(stderr, "Failed to do copy tar data: %s, %s", archive_error_string(ext), -- strerror(archive_errno(ext))); -+ ERROR("Failed to do copy tar data: %s", archive_error_string(ext)); -+ (void)fprintf(stderr, "Failed to do copy tar data: %s", archive_error_string(ext)); - ret = -1; - goto out; - } - } - ret = archive_write_finish_entry(ext); - if (ret != ARCHIVE_OK) { -- ERROR("Failed to freeing archive entry: %s, %s", archive_error_string(ext), strerror(archive_errno(ext))); -- (void)fprintf(stderr, "Failed to freeing archive entry: %s, %s", archive_error_string(ext), -- strerror(archive_errno(ext))); -+ ERROR("Failed to freeing archive entry: %s", archive_error_string(ext)); -+ (void)fprintf(stderr, "Failed to freeing archive entry: %s", archive_error_string(ext)); - ret = -1; - goto out; - } -@@ -824,7 +820,7 @@ int archive_unpack(const struct io_read_wrapper *content, const char *dstdir, co - - pid = fork(); - if (pid == (pid_t) -1) { -- ERROR("Failed to fork: %s", strerror(errno)); -+ SYSERROR("Failed to fork"); - goto cleanup; - } - -@@ -844,7 +840,7 @@ int archive_unpack(const struct io_read_wrapper *content, const char *dstdir, co - - // child process, dup2 pipe_for_read[1] to stderr, - if (dup2(pipe_stderr[1], 2) < 0) { -- ERROR("Dup fd error: %s", strerror(errno)); -+ SYSERROR("Dup fd error"); - ret = -1; - goto child_out; - } -@@ -876,7 +872,7 @@ child_out: - - ret = util_wait_for_pid(pid); - if (ret != 0) { -- ERROR("Wait archive_untar_handler failed with error:%s", strerror(errno)); -+ SYSERROR("Wait archive_untar_handler failed"); - fcntl(pipe_stderr[0], F_SETFL, O_NONBLOCK); - if (util_read_nointr(pipe_stderr[0], errbuf, BUFSIZ) < 0) { - ERROR("read error message from child failed"); -@@ -918,22 +914,21 @@ bool valid_archive_format(const char *file) - - ret = archive_read_support_filter_all(read_archive); - if (ret != ARCHIVE_OK) { -- ERROR("Failed to set archive read support filter all, result is %d, errmsg: %s, %s", ret, -- archive_error_string(read_archive), strerror(archive_errno(read_archive))); -+ ERROR("Failed to set archive read support filter all, result is %d, errmsg: %s", ret, -+ archive_error_string(read_archive)); - goto out; - } - - ret = archive_read_support_format_all(read_archive); - if (ret != ARCHIVE_OK) { -- ERROR("Failed to set archive read support format all, result is %d, errmsg: %s, %s", ret, -- archive_error_string(read_archive), strerror(archive_errno(read_archive))); -+ ERROR("Failed to set archive read support format all, result is %d, errmsg: %s", ret, -+ archive_error_string(read_archive)); - goto out; - } - - ret = archive_read_open_filename(read_archive, file, ARCHIVE_READ_BUFFER_SIZE); - if (ret != ARCHIVE_OK) { -- ERROR("Failed to open archive %s: %s, %s", file, archive_error_string(read_archive), -- strerror(archive_errno(read_archive))); -+ ERROR("Failed to open archive %s: %s", file, archive_error_string(read_archive)); - goto out; - } - -@@ -944,15 +939,13 @@ bool valid_archive_format(const char *file) - goto out; - } - if (ret != ARCHIVE_OK) { -- ERROR("Failed to read next header for file %s: %s, %s", file, archive_error_string(read_archive), -- strerror(archive_errno(read_archive))); -+ ERROR("Failed to read next header for file %s: %s", file, archive_error_string(read_archive)); - goto out; - } - - out: - if (archive_read_free(read_archive) != ARCHIVE_OK) { -- ERROR("Failed to free archive %s: %s, %s", file, archive_error_string(read_archive), -- strerror(archive_errno(read_archive))); -+ ERROR("Failed to free archive %s: %s", file, archive_error_string(read_archive)); - } - read_archive = NULL; - -@@ -979,19 +972,15 @@ static int copy_data_between_archives(struct archive *ar, struct archive *aw) - goto out; - } - if (size < 0) { -- ERROR("tar archive read result %d, error: %s, %s", ret, archive_error_string(ar), -- strerror(archive_errno(ar))); -- (void)fprintf(stderr, "tar archive read result %d, error: %s, %s", ret, archive_error_string(ar), -- strerror(archive_errno(ar))); -+ ERROR("tar archive read result %d, error: %s", ret, archive_error_string(ar)); -+ (void)fprintf(stderr, "tar archive read result %d, error: %s", ret, archive_error_string(ar)); - ret = ARCHIVE_FAILED; - goto out; - } - ret = archive_write_data(aw, buff, size); - if (ret < ARCHIVE_OK) { -- ERROR("tar archive write result %d, error: %s, %s", ret, archive_error_string(aw), -- strerror(archive_errno(aw))); -- (void)fprintf(stderr, "tar archive write result %d, error: %s, %s", ret, archive_error_string(aw), -- strerror(archive_errno(aw))); -+ ERROR("tar archive write result %d, error: %s", ret, archive_error_string(aw)); -+ (void)fprintf(stderr, "tar archive write result %d, error: %s", ret, archive_error_string(aw)); - goto out; - } - } -@@ -1064,8 +1053,8 @@ int tar_handler(struct archive *r, struct archive *w, const char *src_base, cons - } - - if (ret != ARCHIVE_OK) { -- ERROR("read from disk failed: %s, %s", archive_error_string(r), strerror(archive_errno(r))); -- (void)fprintf(stderr, "read from disk failed: %s, %s", archive_error_string(r), strerror(archive_errno(r))); -+ ERROR("read from disk failed: %s", archive_error_string(r)); -+ (void)fprintf(stderr, "read from disk failed: %s", archive_error_string(r)); - break; - } - -@@ -1083,37 +1072,34 @@ int tar_handler(struct archive *r, struct archive *w, const char *src_base, cons - } - ret = archive_write_header(w, entry); - if (ret != ARCHIVE_OK) { -- ERROR("Fail to write tar header: %s, %s\nlink:%s target:%s", archive_error_string(w), -- strerror(archive_errno(w)), archive_entry_pathname(entry), archive_entry_hardlink(entry)); -- (void)fprintf(stderr, "Fail to write tar header: %s, %s\nlink:%s target:%s\n", archive_error_string(w), -- strerror(archive_errno(w)), archive_entry_pathname(entry), archive_entry_hardlink(entry)); -+ ERROR("Fail to write tar header: %s.\nlink:%s target:%s", archive_error_string(w), -+ archive_entry_pathname(entry), archive_entry_hardlink(entry)); -+ (void)fprintf(stderr, "Fail to write tar header: %s.\nlink:%s target:%s\n", archive_error_string(w), -+ archive_entry_pathname(entry), archive_entry_hardlink(entry)); - break; - } - - if (archive_entry_size(entry) > 0) { - ret = copy_data_between_archives(r, w); - if (ret != ARCHIVE_OK) { -- ERROR("Failed to do copy data: %s, %s", archive_error_string(w), strerror(archive_errno(w))); -- (void)fprintf(stderr, "Failed to do copy data: %s, %s\n", archive_error_string(w), -- strerror(archive_errno(w))); -+ ERROR("Failed to do copy data: %s", archive_error_string(w)); -+ (void)fprintf(stderr, "Failed to do copy data: %s\n", archive_error_string(w)); - break; - } - } - - ret = archive_write_finish_entry(w); - if (ret != ARCHIVE_OK) { -- ERROR("Failed to freeing archive entry: %s, %s", archive_error_string(w), strerror(archive_errno(w))); -- (void)fprintf(stderr, "Failed to freeing archive entry: %s, %s\n", archive_error_string(w), -- strerror(archive_errno(w))); -+ ERROR("Failed to freeing archive entry: %s", archive_error_string(w)); -+ (void)fprintf(stderr, "Failed to freeing archive entry: %s\n", archive_error_string(w)); - break; - } - - if (archive_entry_filetype(entry) == AE_IFDIR) { - ret = archive_read_disk_descend(r); - if (ret != ARCHIVE_OK) { -- ERROR("read disk descend failed: %s, %s", archive_error_string(w), strerror(archive_errno(w))); -- (void)fprintf(stderr, "read disk descend failed: %s, %s\n", archive_error_string(w), -- strerror(archive_errno(w))); -+ ERROR("read disk descend failed: %s", archive_error_string(w)); -+ (void)fprintf(stderr, "read disk descend failed: %s\n", archive_error_string(w)); - break; - } - } -@@ -1169,9 +1155,8 @@ static int tar_all(const struct io_write_wrapper *writer, const char *tar_dir, c - archive_read_disk_set_behavior(r, ARCHIVE_READDISK_NO_TRAVERSE_MOUNTS); - ret = archive_read_disk_open(r, tar_dir); - if (ret != ARCHIVE_OK) { -- ERROR("open archive read failed: %s, %s", archive_error_string(r), strerror(archive_errno(r))); -- (void)fprintf(stderr, "open archive read failed: %s, %s\n", archive_error_string(r), -- strerror(archive_errno(r))); -+ ERROR("open archive read failed: %s", archive_error_string(r)); -+ (void)fprintf(stderr, "open archive read failed: %s\n", archive_error_string(r)); - goto out; - } - -@@ -1186,9 +1171,8 @@ static int tar_all(const struct io_write_wrapper *writer, const char *tar_dir, c - archive_write_set_options(w, "xattrheader=SCHILY"); - ret = archive_write_open(w, (void *)writer, NULL, stream_write_data, NULL); - if (ret != ARCHIVE_OK) { -- ERROR("open archive write failed: %s, %s", archive_error_string(w), strerror(archive_errno(w))); -- (void)fprintf(stderr, "open archive write failed: %s, %s\n", archive_error_string(w), -- strerror(archive_errno(w))); -+ ERROR("open archive write failed: %s", archive_error_string(w)); -+ (void)fprintf(stderr, "open archive write failed: %s\n", archive_error_string(w)); - goto out; - } - -@@ -1261,14 +1245,14 @@ int archive_chroot_tar(const char *path, const char *file, const char *root_dir, - - // child process, dup2 pipe_for_read[1] to stderr, - if (dup2(pipe_for_read[1], 2) < 0) { -- ERROR("Dup fd error: %s", strerror(errno)); -+ SYSERROR("Dup fd failed"); - ret = -1; - goto child_out; - } - - fd = open(file, TAR_DEFAULT_FLAG, TAR_DEFAULT_MODE); - if (fd < 0) { -- ERROR("Failed to open file %s for export: %s", file, strerror(errno)); -+ SYSERROR("Failed to open file %s for export", file); - fprintf(stderr, "Failed to open file %s for export: %s\n", file, strerror(errno)); - ret = -1; - goto child_out; -@@ -1477,17 +1461,17 @@ int archive_chroot_untar_stream(const struct io_read_wrapper *context, const cha - } - - if (pipe(pipe_stderr) != 0) { -- ERROR("Failed to create pipe: %s", strerror(errno)); -+ SYSERROR("Failed to create pipe"); - goto cleanup; - } - if (pipe(pipe_stream) != 0) { -- ERROR("Failed to create pipe: %s", strerror(errno)); -+ SYSERROR("Failed to create pipe"); - goto cleanup; - } - - pid = fork(); - if (pid == (pid_t) -1) { -- ERROR("Failed to fork: %s", strerror(errno)); -+ SYSERROR("Failed to fork"); - goto cleanup; - } - -@@ -1506,7 +1490,7 @@ int archive_chroot_untar_stream(const struct io_read_wrapper *context, const cha - - // child process, dup2 pipe_stderr[1] to stderr, - if (dup2(pipe_stderr[1], 2) < 0) { -- ERROR("Dup fd error: %s", strerror(errno)); -+ SYSERROR("Dup fd error"); - ret = -1; - goto child_out; - } -@@ -1562,7 +1546,7 @@ child_out: - while (read_len > 0) { - ssize_t writed_len = archive_context_write(ctx, buf, (size_t)read_len); - if (writed_len < 0) { -- DEBUG("Tar may exited: %s", strerror(errno)); -+ SYSDEBUG("Tar may exited"); - break; - } - read_len = context->read(context->context, buf, buf_len); -@@ -1613,17 +1597,17 @@ int archive_chroot_tar_stream(const char *chroot_dir, const char *tar_path, cons - } - - if (pipe(pipe_stderr) != 0) { -- ERROR("Failed to create pipe: %s", strerror(errno)); -+ SYSERROR("Failed to create pipe"); - goto free_out; - } - if (pipe(pipe_stream) != 0) { -- ERROR("Failed to create pipe: %s", strerror(errno)); -+ SYSERROR("Failed to create pipe"); - goto free_out; - } - - pid = fork(); - if (pid == (pid_t) -1) { -- ERROR("Failed to fork: %s", strerror(errno)); -+ SYSERROR("Failed to fork"); - goto free_out; - } - -@@ -1645,7 +1629,7 @@ int archive_chroot_tar_stream(const char *chroot_dir, const char *tar_path, cons - - // child process, dup2 pipe_stderr[1] to stderr, - if (dup2(pipe_stderr[1], 2) < 0) { -- ERROR("Dup fd error: %s", strerror(errno)); -+ SYSERROR("Dup fd error"); - ret = -1; - goto child_out; - } -diff --git a/src/utils/tar/util_gzip.c b/src/utils/tar/util_gzip.c -index bf649300..0c8c8372 100644 ---- a/src/utils/tar/util_gzip.c -+++ b/src/utils/tar/util_gzip.c -@@ -42,13 +42,13 @@ int util_gzip_z(const char *srcfile, const char *dstfile, const mode_t mode) - - srcfd = util_open(srcfile, O_RDONLY, SECURE_CONFIG_FILE_MODE); - if (srcfd < 0) { -- ERROR("Open src file: %s, failed: %s", srcfile, strerror(errno)); -+ SYSERROR("Open src file: %s, failed", srcfile); - return -1; - } - - stream = gzopen(dstfile, "w"); - if (stream == NULL) { -- ERROR("gzopen %s error: %s", dstfile, strerror(errno)); -+ SYSERROR("gzopen %s failed", dstfile); - close(srcfd); - return -1; - } -@@ -64,7 +64,7 @@ int util_gzip_z(const char *srcfile, const char *dstfile, const mode_t mode) - int n; - size = util_read_nointr(srcfd, buffer, BLKSIZE); - if (size < 0) { -- ERROR("read file %s failed: %s", srcfile, strerror(errno)); -+ SYSERROR("read file %s failed", srcfile); - ret = -1; - break; - } else if (size == 0) { -@@ -92,7 +92,7 @@ out: - free(buffer); - if (ret != 0) { - if (util_path_remove(dstfile) != 0) { -- ERROR("Remove file %s failed: %s", dstfile, strerror(errno)); -+ SYSERROR("Remove file %s failed", dstfile); - } - } - -@@ -115,7 +115,7 @@ int util_gzip_d(const char *srcfile, const FILE *dstfp) - - stream = gzopen(srcfile, "r"); - if (stream == NULL) { -- ERROR("gzopen %s failed: %s", srcfile, strerror(errno)); -+ SYSERROR("gzopen %s failed", srcfile); - return -1; - } - -@@ -142,7 +142,7 @@ int util_gzip_d(const char *srcfile, const FILE *dstfp) - size = fwrite(buffer, 1, n, (FILE *)dstfp); - if (size != n) { - ret = -1; -- ERROR("Write file failed: %s", strerror(errno)); -+ SYSERROR("Write file failed"); - break; - } - } --- -2.25.1 - diff --git a/0010-2245-fix-utils_verify_ut-failure-when-remote-grpc-fu.patch b/0010-2245-fix-utils_verify_ut-failure-when-remote-grpc-fu.patch new file mode 100644 index 0000000..8a7253e --- /dev/null +++ b/0010-2245-fix-utils_verify_ut-failure-when-remote-grpc-fu.patch @@ -0,0 +1,33 @@ +From c8415e904333c99a2fcd4f8d070942b6923d44ed Mon Sep 17 00:00:00 2001 +From: zhongtao +Date: Mon, 13 Nov 2023 08:52:42 +0000 +Subject: [PATCH 10/14] !2245 fix utils_verify_ut failure when remote grpc + function is turned off * fix utils_verify_ut failure when remote grpc + function is turned off + +--- + test/cutils/utils_verify/utils_verify_ut.cc | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/test/cutils/utils_verify/utils_verify_ut.cc b/test/cutils/utils_verify/utils_verify_ut.cc +index 79670ec1..f2ff57c7 100644 +--- a/test/cutils/utils_verify/utils_verify_ut.cc ++++ b/test/cutils/utils_verify/utils_verify_ut.cc +@@ -70,12 +70,14 @@ TEST(utils_verify, test_util_validate_socket) + ASSERT_EQ(util_validate_socket("unix://./isulad"), false); + ASSERT_EQ(util_validate_socket("unix://isulad"), false); + ++#ifdef ENABLE_GRPC_REMOTE_CONNECT + ASSERT_EQ(util_validate_socket("tcp://localhost:2375"), true); + ASSERT_EQ(util_validate_socket("tcp://127.0.0.1:2375"), true); + + ASSERT_EQ(util_validate_socket("tcp://"), false); + ASSERT_EQ(util_validate_socket("tcp://127.0.0.1"), false); + ASSERT_EQ(util_validate_socket("tcp://127.0.0.1,2375"), false); ++#endif + } + + TEST(utils_verify, test_util_valid_device_mode) +-- +2.42.0 + diff --git a/0010-do-not-report-low-level-error-to-user.patch b/0010-do-not-report-low-level-error-to-user.patch deleted file mode 100644 index b215682..0000000 --- a/0010-do-not-report-low-level-error-to-user.patch +++ /dev/null @@ -1,358 +0,0 @@ -From ab03fdd4261ebc11f18e3b783dfc38558e5247b5 Mon Sep 17 00:00:00 2001 -From: haozi007 -Date: Wed, 6 Sep 2023 10:45:37 +0800 -Subject: [PATCH 10/32] do not report low level error to user - -Signed-off-by: haozi007 ---- - src/daemon/entry/cri/cri_helpers.cc | 4 ++-- - .../v1alpha/cri_container_manager_service.cc | 3 ++- - src/daemon/executor/container_cb/execution.c | 4 ++-- - .../executor/container_cb/execution_network.c | 17 ++++++++--------- - .../executor/container_cb/execution_stream.c | 4 ++-- - src/daemon/modules/container/container_unix.c | 2 +- - src/daemon/modules/image/external/ext_image.c | 4 ++-- - src/daemon/modules/image/oci/oci_load.c | 2 +- - .../modules/runtime/engines/lcr/lcr_rt_ops.c | 3 +-- - src/daemon/modules/service/service_container.c | 2 +- - src/daemon/modules/spec/verify.c | 2 +- - src/daemon/modules/volume/local.c | 8 ++++---- - src/utils/tar/isulad_tar.c | 16 ++++++++-------- - src/utils/tar/util_archive.c | 12 ++++++------ - 14 files changed, 41 insertions(+), 42 deletions(-) - -diff --git a/src/daemon/entry/cri/cri_helpers.cc b/src/daemon/entry/cri/cri_helpers.cc -index a80ec7d0..2e1096f5 100644 ---- a/src/daemon/entry/cri/cri_helpers.cc -+++ b/src/daemon/entry/cri/cri_helpers.cc -@@ -540,8 +540,8 @@ void RemoveContainerLogSymlink(const std::string &containerID, Errors &error) - if (path != nullptr) { - // Only remove the symlink when container log path is specified. - if (util_path_remove(path) != 0 && errno != ENOENT) { -- error.Errorf("Failed to remove container %s log symlink %s: %s", containerID.c_str(), path, -- strerror(errno)); -+ SYSERROR("Failed to remove container %s log symlink %s.", containerID.c_str(), path); -+ error.Errorf("Failed to remove container %s log symlink %s.", containerID.c_str(), path); - goto cleanup; - } - } -diff --git a/src/daemon/entry/cri/v1alpha/cri_container_manager_service.cc b/src/daemon/entry/cri/v1alpha/cri_container_manager_service.cc -index b4faab95..013b938a 100644 ---- a/src/daemon/entry/cri/v1alpha/cri_container_manager_service.cc -+++ b/src/daemon/entry/cri/v1alpha/cri_container_manager_service.cc -@@ -547,8 +547,9 @@ void ContainerManagerService::CreateContainerLogSymlink(const std::string &conta - WARN("Deleted previously existing symlink file: %s", path); - } - if (symlink(realPath, path) != 0) { -+ SYSERROR("failed to create symbolic link %s to the container log file %s for container %s", path, realPath, containerID.c_str()); - error.Errorf("failed to create symbolic link %s to the container log file %s for container %s: %s", path, -- realPath, containerID.c_str(), strerror(errno)); -+ realPath, containerID.c_str()); - goto cleanup; - } - } else { -diff --git a/src/daemon/executor/container_cb/execution.c b/src/daemon/executor/container_cb/execution.c -index d3571b7f..63d8143c 100644 ---- a/src/daemon/executor/container_cb/execution.c -+++ b/src/daemon/executor/container_cb/execution.c -@@ -345,13 +345,13 @@ static int maybe_create_cpu_realtime_file(int64_t value, const char *file, const - fd = util_open(fpath, O_WRONLY | O_TRUNC | O_CREAT | O_CLOEXEC, 0700); - if (fd < 0) { - SYSERROR("Failed to open file: %s.", fpath); -- isulad_set_error_message("Failed to open file: %s: %s", fpath, strerror(errno)); -+ isulad_set_error_message("Failed to open file: %s.", fpath); - return -1; - } - nwrite = util_write_nointr(fd, buf, strlen(buf)); - if (nwrite < 0 || (size_t)nwrite != strlen(buf)) { - SYSERROR("Failed to write %s to %s.", buf, fpath); -- isulad_set_error_message("Failed to write '%s' to '%s': %s", buf, fpath, strerror(errno)); -+ isulad_set_error_message("Failed to write '%s' to '%s'.", buf, fpath); - return -1; - } - -diff --git a/src/daemon/executor/container_cb/execution_network.c b/src/daemon/executor/container_cb/execution_network.c -index ce924332..a145e33a 100644 ---- a/src/daemon/executor/container_cb/execution_network.c -+++ b/src/daemon/executor/container_cb/execution_network.c -@@ -68,8 +68,8 @@ static int write_hostname_to_file(const char *rootfs, const char *hostname) - - ret = util_write_file(file_path, hostname, strlen(hostname), NETWORK_MOUNT_FILE_MODE); - if (ret) { -- SYSERROR("Failed to write %s", file_path); -- isulad_set_error_message("Failed to write %s: %s", file_path, strerror(errno)); -+ SYSERROR("Failed to write %s.", file_path); -+ isulad_set_error_message("Failed to write %s.", file_path); - goto out; - } - -@@ -97,8 +97,8 @@ static int fopen_network(FILE **fp, char **file_path, const char *rootfs, const - - *fp = util_fopen(*file_path, "a+"); - if (*fp == NULL) { -- SYSERROR("Failed to open %s", *file_path); -- isulad_set_error_message("Failed to open %s: %s", *file_path, strerror(errno)); -+ SYSERROR("Failed to open %s.", *file_path); -+ isulad_set_error_message("Failed to open %s.", *file_path); - return -1; - } - return 0; -@@ -169,8 +169,8 @@ static int write_content_to_file(const char *file_path, const char *content) - if (content != NULL) { - ret = util_write_file(file_path, content, strlen(content), NETWORK_MOUNT_FILE_MODE); - if (ret != 0) { -- SYSERROR("Failed to write file %s", file_path); -- isulad_set_error_message("Failed to write file %s: %s", file_path, strerror(errno)); -+ SYSERROR("Failed to write file %s.", file_path); -+ isulad_set_error_message("Failed to write file %s.", file_path); - return ret; - } - } -@@ -702,9 +702,8 @@ static int chown_network(const char *user_remap, const char *rootfs, const char - goto out; - } - if (chown(file_path, host_uid, host_gid) != 0) { -- SYSERROR("Failed to chown network file '%s' to %u:%u", filename, host_uid, host_gid); -- isulad_set_error_message("Failed to chown network file '%s' to %u:%u: %s", filename, host_uid, host_gid, -- strerror(errno)); -+ SYSERROR("Failed to chown network file '%s' to %u:%u.", filename, host_uid, host_gid); -+ isulad_set_error_message("Failed to chown network file '%s' to %u:%u.", filename, host_uid, host_gid); - ret = -1; - goto out; - } -diff --git a/src/daemon/executor/container_cb/execution_stream.c b/src/daemon/executor/container_cb/execution_stream.c -index 7e84cca3..aae9c234 100644 ---- a/src/daemon/executor/container_cb/execution_stream.c -+++ b/src/daemon/executor/container_cb/execution_stream.c -@@ -536,7 +536,7 @@ static container_path_stat *do_container_stat_path(const char *rootpath, const c - nret = lstat(resolvedpath, &st); - if (nret < 0) { - SYSERROR("lstat %s failed.", resolvedpath); -- isulad_set_error_message("lstat %s: %s", resolvedpath, strerror(errno)); -+ isulad_set_error_message("lstat %s failed.", resolvedpath); - goto cleanup; - } - -@@ -922,7 +922,7 @@ static int copy_to_container_check_path_valid(const container_t *cont, const cha - nret = lstat(resolvedpath, &st); - if (nret < 0) { - SYSERROR("lstat %s failed", resolvedpath); -- isulad_set_error_message("lstat %s: %s", resolvedpath, strerror(errno)); -+ isulad_set_error_message("lstat %s failed", resolvedpath); - goto cleanup; - } - -diff --git a/src/daemon/modules/container/container_unix.c b/src/daemon/modules/container/container_unix.c -index e8c98441..fa53a85f 100644 ---- a/src/daemon/modules/container/container_unix.c -+++ b/src/daemon/modules/container/container_unix.c -@@ -518,7 +518,7 @@ static int save_json_config_file(const char *id, const char *rootpath, const cha - nret = util_atomic_write_file(filename, json_data, strlen(json_data), CONFIG_FILE_MODE, false); - if (nret != 0) { - SYSERROR("Write file %s failed.", filename); -- isulad_set_error_message("Write file '%s' failed: %s", filename, strerror(errno)); -+ isulad_set_error_message("Write file '%s' failed.", filename); - ret = -1; - } - -diff --git a/src/daemon/modules/image/external/ext_image.c b/src/daemon/modules/image/external/ext_image.c -index 10af82a3..e1706469 100644 ---- a/src/daemon/modules/image/external/ext_image.c -+++ b/src/daemon/modules/image/external/ext_image.c -@@ -65,8 +65,8 @@ int ext_prepare_rf(const im_prepare_request *request, char **real_rootfs) - return -1; - } - if (realpath(request->rootfs, real_path) == NULL) { -- SYSERROR("Failed to clean rootfs path '%s'", request->rootfs); -- isulad_set_error_message("Failed to clean rootfs path '%s': %s", request->rootfs, strerror(errno)); -+ SYSERROR("Failed to clean rootfs path '%s'.", request->rootfs); -+ isulad_set_error_message("Failed to clean rootfs path '%s'.", request->rootfs); - return -1; - } - *real_rootfs = util_strdup_s(real_path); -diff --git a/src/daemon/modules/image/oci/oci_load.c b/src/daemon/modules/image/oci/oci_load.c -index d2efab81..5511a70c 100644 ---- a/src/daemon/modules/image/oci/oci_load.c -+++ b/src/daemon/modules/image/oci/oci_load.c -@@ -1046,7 +1046,7 @@ static char *oci_load_path_create() - - if (mkdtemp(tmp_dir) == NULL) { - SYSERROR("make temporary dir failed"); -- isulad_try_set_error_message("make temporary dir failed: %s", strerror(errno)); -+ isulad_try_set_error_message("make temporary dir failed"); - ret = -1; - goto out; - } -diff --git a/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c b/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c -index e985cfc1..f61316d0 100644 ---- a/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c -+++ b/src/daemon/modules/runtime/engines/lcr/lcr_rt_ops.c -@@ -209,9 +209,8 @@ static int remove_container_rootpath(const char *id, const char *root_path) - } - ret = util_recursive_rmdir(cont_root_path, 0); - if (ret != 0) { -- const char *tmp_err = (errno != 0) ? strerror(errno) : "error"; - SYSERROR("Failed to delete container's root directory %s.", cont_root_path); -- isulad_set_error_message("Failed to delete container's root directory %s: %s", cont_root_path, tmp_err); -+ isulad_set_error_message("Failed to delete container's root directory %s.", cont_root_path); - ret = -1; - goto out; - } -diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c -index 483670de..370ba059 100644 ---- a/src/daemon/modules/service/service_container.c -+++ b/src/daemon/modules/service/service_container.c -@@ -596,7 +596,7 @@ static int valid_mount_point(container_config_v2_common_config_mount_points_elem - - if (lstat(mp->source, &st) != 0) { - SYSERROR("lstat %s failed", mp->source); -- isulad_set_error_message("lstat %s: %s", mp->source, strerror(errno)); -+ isulad_set_error_message("lstat %s failed", mp->source); - return -1; - } - -diff --git a/src/daemon/modules/spec/verify.c b/src/daemon/modules/spec/verify.c -index 6180b887..92029cbd 100644 ---- a/src/daemon/modules/spec/verify.c -+++ b/src/daemon/modules/spec/verify.c -@@ -1536,7 +1536,7 @@ static int verify_custom_mount(defs_mount **mounts, size_t len) - if (!util_file_exists(iter->source) && util_mkdir_p(iter->source, mode)) { - #endif - SYSERROR("Failed to create directory '%s'", iter->source); -- isulad_try_set_error_message("Failed to create directory '%s': %s", iter->source, strerror(errno)); -+ isulad_try_set_error_message("Failed to create directory '%s'", iter->source); - ret = -1; - goto out; - } -diff --git a/src/daemon/modules/volume/local.c b/src/daemon/modules/volume/local.c -index 7f95757d..6c3354dc 100644 ---- a/src/daemon/modules/volume/local.c -+++ b/src/daemon/modules/volume/local.c -@@ -556,15 +556,15 @@ static int remove_volume_dir(char *path) - // remain untouched if we remove the data directory failed. - ret = util_recursive_rmdir(path, 0); - if (ret != 0) { -- SYSERROR("failed to remove volume data dir %s", path); -- isulad_try_set_error_message("failed to remove volume data dir %s: %s", path, strerror(errno)); -+ SYSERROR("failed to remove volume data dir %s.", path); -+ isulad_try_set_error_message("failed to remove volume data dir %s.", path); - goto out; - } - - ret = util_recursive_rmdir(vol_dir, 0); - if (ret != 0) { -- SYSERROR("failed to remove volume dir %s", vol_dir); -- isulad_try_set_error_message("failed to remove volume dir %s: %s", vol_dir, strerror(errno)); -+ SYSERROR("failed to remove volume dir %s.", vol_dir); -+ isulad_try_set_error_message("failed to remove volume dir %s.", vol_dir); - goto out; - } - -diff --git a/src/utils/tar/isulad_tar.c b/src/utils/tar/isulad_tar.c -index 7218cca8..bffbb43b 100644 ---- a/src/utils/tar/isulad_tar.c -+++ b/src/utils/tar/isulad_tar.c -@@ -114,7 +114,7 @@ static int resolve_host_source_path(const char *path, bool follow_link, char **r - if (follow_link) { - if (realpath(path, real_path) == NULL) { - SYSERROR("Can not get real path of %s.", real_path); -- format_errorf(err, "Can not get real path of %s: %s", real_path, strerror(errno)); -+ format_errorf(err, "Can not get real path of %s.", real_path); - return -1; - } - nret = get_rebase_name(path, real_path, resolved_path, rebase_name); -@@ -131,7 +131,7 @@ static int resolve_host_source_path(const char *path, bool follow_link, char **r - } - if (realpath(dirpath, real_path) == NULL) { - SYSERROR("Can not get real path of %s.", dirpath); -- format_errorf(err, "Can not get real path of %s: %s", dirpath, strerror(errno)); -+ format_errorf(err, "Can not get real path of %s.", dirpath); - goto cleanup; - } - nret = snprintf(resolved, sizeof(resolved), "%s/%s", real_path, basepath); -@@ -192,7 +192,7 @@ struct archive_copy_info *copy_info_source_path(const char *path, bool follow_li - nret = lstat(resolved_path, &st); - if (nret < 0) { - SYSERROR("lstat %s failed", resolved_path); -- format_errorf(err, "lstat %s: %s", resolved_path, strerror(errno)); -+ format_errorf(err, "lstat %s failed", resolved_path); - goto cleanup; - } - -@@ -225,8 +225,8 @@ static int copy_info_destination_path_ret(struct archive_copy_info *info, struct - - ret = (int)readlink(iter_path, target, PATH_MAX); - if (ret < 0) { -- SYSERROR("Failed to read link of %s", iter_path); -- format_errorf(err, "Failed to read link of %s: %s", iter_path, strerror(errno)); -+ SYSERROR("Failed to read link of %s.", iter_path); -+ format_errorf(err, "Failed to read link of %s.", iter_path); - goto cleanup; - } - // is not absolutely path -@@ -258,8 +258,8 @@ static int copy_info_destination_path_ret(struct archive_copy_info *info, struct - if (ret != 0) { - char *dst_parent = NULL; - if (errno != ENOENT) { -- SYSERROR("Can not stat %s", iter_path); -- format_errorf(err, "Can not stat %s: %s", iter_path, strerror(errno)); -+ SYSERROR("Can not stat %s.", iter_path); -+ format_errorf(err, "Can not stat %s.", iter_path); - goto cleanup; - } - -@@ -429,7 +429,7 @@ static int tar_resource_rebase(const char *path, const char *rebase, const char - - if (lstat(path, &st) < 0) { - SYSERROR("lstat %s failed", path); -- format_errorf(err, "lstat %s: %s", path, strerror(errno)); -+ format_errorf(err, "lstat %s failed", path); - return -1; - } - if (util_split_path_dir_entry(path, &srcdir, &srcbase) < 0) { -diff --git a/src/utils/tar/util_archive.c b/src/utils/tar/util_archive.c -index f34572ae..82194654 100644 ---- a/src/utils/tar/util_archive.c -+++ b/src/utils/tar/util_archive.c -@@ -257,8 +257,8 @@ static int do_safe_chroot(const char *dstdir) - prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); - - if (chroot(dstdir) != 0) { -- SYSERROR("Failed to chroot to %s", dstdir); -- fprintf(stderr, "Failed to chroot to %s: %s", dstdir, strerror(errno)); -+ SYSERROR("Failed to chroot to %s.", dstdir); -+ fprintf(stderr, "Failed to chroot to %s.", dstdir); - return -1; - } - -@@ -846,15 +846,15 @@ int archive_unpack(const struct io_read_wrapper *content, const char *dstdir, co - } - - if (do_safe_chroot(safe_dir) != 0) { -- SYSERROR("Failed to chroot to %s", safe_dir); -- fprintf(stderr, "Failed to chroot to %s: %s", safe_dir, strerror(errno)); -+ SYSERROR("Failed to chroot to %s.", safe_dir); -+ fprintf(stderr, "Failed to chroot to %s.", safe_dir); - ret = -1; - goto child_out; - } - - if (chdir("/") != 0) { - SYSERROR("Failed to chroot to /"); -- fprintf(stderr, "Failed to chroot to /: %s", strerror(errno)); -+ fprintf(stderr, "Failed to chroot to /"); - ret = -1; - goto child_out; - } -@@ -1253,7 +1253,7 @@ int archive_chroot_tar(const char *path, const char *file, const char *root_dir, - fd = open(file, TAR_DEFAULT_FLAG, TAR_DEFAULT_MODE); - if (fd < 0) { - SYSERROR("Failed to open file %s for export", file); -- fprintf(stderr, "Failed to open file %s for export: %s\n", file, strerror(errno)); -+ fprintf(stderr, "Failed to open file %s for export\n", file); - ret = -1; - goto child_out; - } --- -2.25.1 - diff --git a/0011-add-runc-attach-implement.patch b/0011-add-runc-attach-implement.patch new file mode 100644 index 0000000..088e339 --- /dev/null +++ b/0011-add-runc-attach-implement.patch @@ -0,0 +1,1312 @@ +From aaf1b46c66aa596ec718c11c4f4270e41e7b570e Mon Sep 17 00:00:00 2001 +From: zhongtao +Date: Tue, 7 Nov 2023 16:39:35 +0800 +Subject: [PATCH 11/14] add runc attach implement + +Signed-off-by: zhongtao +--- + .../connect/grpc/grpc_containers_client.cc | 9 + + src/cmd/isula/stream/attach.c | 12 +- + src/cmd/isulad-shim/common.c | 116 ++++- + src/cmd/isulad-shim/common.h | 30 ++ + src/cmd/isulad-shim/main.c | 14 + + src/cmd/isulad-shim/process.c | 453 ++++++++++++++++-- + src/cmd/isulad-shim/process.h | 7 +- + src/cmd/isulad-shim/terminal.c | 2 +- + .../executor/container_cb/execution_stream.c | 1 + + src/daemon/modules/api/runtime_api.h | 1 + + .../modules/runtime/isula/isula_rt_ops.c | 168 ++++++- + src/utils/cutils/error.h | 4 +- + 12 files changed, 755 insertions(+), 62 deletions(-) + +diff --git a/src/client/connect/grpc/grpc_containers_client.cc b/src/client/connect/grpc/grpc_containers_client.cc +index 2dd73100..bcb1e8da 100644 +--- a/src/client/connect/grpc/grpc_containers_client.cc ++++ b/src/client/connect/grpc/grpc_containers_client.cc +@@ -1394,6 +1394,8 @@ public: + auto run(const struct isula_attach_request *request, struct isula_attach_response *response) -> int override + { + ClientContext context; ++ bool detach = false; ++ std::string attach_detach_msg = "read escape sequence"; + + if (set_custom_header_metadata(context, request) != 0) { + ERROR("Failed to translate request to grpc"); +@@ -1415,6 +1417,9 @@ public: + break; + } + if (!stream_response.stdout().empty()) { ++ if (strcmp(stream_response.stdout().c_str(), attach_detach_msg.c_str()) == 0) { ++ detach = true; ++ } + std::cout << stream_response.stdout() << std::flush; + } + if (!stream_response.stderr().empty()) { +@@ -1437,6 +1442,10 @@ public: + response->cc = ISULAD_ERR_EXEC; + } + ++ if (detach) { ++ response->server_errono = ISULAD_INFO_DETACH; ++ } ++ + out: + if (request->attach_stdin) { + pthread_cancel(writer.native_handle()); +diff --git a/src/cmd/isula/stream/attach.c b/src/cmd/isula/stream/attach.c +index ff49af92..b61c9350 100644 +--- a/src/cmd/isula/stream/attach.c ++++ b/src/cmd/isula/stream/attach.c +@@ -37,6 +37,7 @@ + #include "connect.h" + #include "constants.h" + #include "client_helpers.h" ++#include "error.h" + #ifndef GRPC_CONNECTOR + #include "client_console.h" + #endif +@@ -70,8 +71,10 @@ static int check_tty(bool tty, struct termios *oldtios, bool *reset_tty) + } + *reset_tty = true; + } else { +- INFO("the input device is not a TTY"); +- return 0; ++ // if it is trying to attach to a container TTY ++ // from a non-TTY client input stream, returns -1. ++ COMMAND_ERROR("the input device is not a TTY"); ++ return -1; + } + + return 0; +@@ -353,6 +356,7 @@ static int client_attach(struct client_arguments *args, uint32_t *exit_code) + #endif + + config = get_connect_config(args); ++ // Obtain the container's real exit code by waiting for the container to stop. + container_wait_thread(args, exit_code, &sem_exited); + ret = ops->container.attach(&request, response, &config); + if (ret != 0) { +@@ -374,7 +378,9 @@ static int client_attach(struct client_arguments *args, uint32_t *exit_code) + + if (sem_timedwait(&sem_exited, &ts) != 0) { + if (errno == ETIMEDOUT) { +- COMMAND_ERROR("Wait container status timeout."); ++ if (response->server_errono != ISULAD_INFO_DETACH) { ++ INFO("Wait container stopped status timeout."); ++ } + } else { + CMD_SYSERROR("Failed to wait sem"); + } +diff --git a/src/cmd/isulad-shim/common.c b/src/cmd/isulad-shim/common.c +index 781dc004..48d266dc 100644 +--- a/src/cmd/isulad-shim/common.c ++++ b/src/cmd/isulad-shim/common.c +@@ -33,16 +33,26 @@ + #include + + int g_log_fd = -1; ++int g_attach_log_fd = -1; + + int init_shim_log(void) + { +- g_log_fd = open_no_inherit(SHIM_LOG_NAME, O_CREAT | O_WRONLY | O_APPEND | O_SYNC, 0640); ++ g_log_fd = open_no_inherit(SHIM_LOG_NAME, O_CREAT | O_WRONLY | O_APPEND | O_SYNC, LOG_FILE_MODE); + if (g_log_fd < 0) { + return SHIM_ERR; + } + return SHIM_OK; + } + ++int init_attach_log(void) ++{ ++ g_attach_log_fd = open_no_inherit(ATTACH_LOG_NAME, O_CREAT | O_WRONLY | O_APPEND | O_SYNC, LOG_FILE_MODE); ++ if (g_attach_log_fd < 0) { ++ return SHIM_ERR; ++ } ++ return SHIM_OK; ++} ++ + void signal_routine(int sig) + { + switch (sig) { +@@ -162,11 +172,24 @@ int generate_random_str(char *id, size_t len) + return SHIM_OK; + } + +-void write_message(const char *level, const char *fmt, ...) +-{ + #define MAX_MSG_JSON_TEMPLATE 32 + #define MAX_MESSAGE_CONTENT_LEN 128 + #define MAX_MESSAGE_LEN (MAX_MSG_JSON_TEMPLATE + MAX_MESSAGE_CONTENT_LEN) ++ ++static void format_log_msg(const char *level, const char *buf, char *msg, int max_message_len) ++{ ++ time_t current_time = time(NULL); ++ struct tm *local_time = localtime(¤t_time); ++ char time_str[20]; ++ ++ strftime(time_str, sizeof(time_str), "%Y-%m-%d %H:%M:%S", local_time); ++ ++ (void)snprintf(msg, max_message_len - 1, "{\"time\": \"%s\", \"level\": \"%s\", \"msg\": \"%s\"}\n", time_str, level, ++ buf); ++} ++ ++void write_message(const char *level, const char *fmt, ...) ++{ + if (g_log_fd < 0) { + return; + } +@@ -183,15 +206,31 @@ void write_message(const char *level, const char *fmt, ...) + return; + } + +- nwrite = snprintf(msg, MAX_MESSAGE_LEN - 1, "{\"level\": \"%s\", \"msg\": \"%s\"}\n", level, buf); +- if (nwrite < 0 || (size_t)nwrite >= (MAX_MESSAGE_LEN - 1)) { ++ format_log_msg(level, buf, msg, MAX_MESSAGE_CONTENT_LEN); ++ ++ (void)isula_file_total_write_nointr(g_log_fd, msg, strlen(msg)); ++} ++ ++void write_attach_message(const char *level, const char *fmt, ...) ++{ ++ char buf[MAX_MESSAGE_CONTENT_LEN] = { 0 }; ++ char msg[MAX_MESSAGE_LEN] = { 0 }; ++ int nwrite = -1; ++ ++ if (g_attach_log_fd < 0) { + return; + } +- +- nwrite = isula_file_total_write_nointr(g_log_fd, msg, strlen(msg)); +- if (nwrite < 0 || (size_t)nwrite != strlen(msg)) { ++ va_list arg_list; ++ va_start(arg_list, fmt); ++ nwrite = vsnprintf(buf, MAX_MESSAGE_CONTENT_LEN, fmt, arg_list); ++ va_end(arg_list); ++ if (nwrite < 0) { + return; + } ++ ++ format_log_msg(level, buf, msg, MAX_MESSAGE_CONTENT_LEN); ++ ++ (void)isula_file_total_write_nointr(g_attach_log_fd, msg, strlen(msg)); + } + + /* note: This function can only read small text file. */ +@@ -272,3 +311,64 @@ int open_no_inherit(const char *path, int flag, mode_t mode) + + return fd; + } ++ ++/* judge the fd whether is attach fifo */ ++struct isula_linked_list *get_attach_fifo_item(int fd, struct isula_linked_list *list) ++{ ++ struct isula_linked_list *it = NULL; ++ struct isula_linked_list *next = NULL; ++ ++ if (fd <= 0 || list == NULL || isula_linked_list_empty(list)) { ++ return it; ++ } ++ ++ isula_linked_list_for_each_safe(it, list, next) { ++ struct shim_fifos_fd *elem = (struct shim_fifos_fd *)it->elem; ++ if (elem == NULL) { ++ continue; ++ } ++ if (elem->in_fd == fd) { ++ return it; ++ } ++ if (elem->out_fd == fd) { ++ return it; ++ } ++ if (elem->err_fd == fd) { ++ return it; ++ } ++ } ++ ++ return it; ++} ++ ++void free_shim_fifos_fd(struct shim_fifos_fd *item) ++{ ++ if (item == NULL) { ++ return; ++ } ++ if (item->in_fifo != NULL) { ++ free(item->in_fifo); ++ item->in_fifo = NULL; ++ } ++ if (item->out_fifo != NULL) { ++ free(item->out_fifo); ++ item->out_fifo = NULL; ++ } ++ if (item->err_fifo != NULL) { ++ free(item->err_fifo); ++ item->err_fifo = NULL; ++ } ++ if (item->in_fd >= 0) { ++ close(item->in_fd); ++ item->in_fd = -1; ++ } ++ if (item->out_fd >= 0) { ++ close(item->out_fd); ++ item->out_fd = -1; ++ } ++ if (item->err_fd >= 0) { ++ close(item->err_fd); ++ item->err_fd = -1; ++ } ++ free(item); ++} +\ No newline at end of file +diff --git a/src/cmd/isulad-shim/common.h b/src/cmd/isulad-shim/common.h +index 55efdc28..2020a799 100644 +--- a/src/cmd/isulad-shim/common.h ++++ b/src/cmd/isulad-shim/common.h +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + + #ifdef __cplusplus + extern "C" { +@@ -59,8 +60,22 @@ extern "C" { + #define CONTAINER_ACTION_REBOOT 129 + #define CONTAINER_ACTION_SHUTDOWN 130 + ++#define ATTACH_SOCKET "attach_socket.sock" ++#define ATTACH_LOG_NAME "attach-log.json" ++#define ATTACH_DETACH_MSG "read escape sequence" ++#define MAX_ATTACH_NUM 16 ++ ++#define CTRL_Q 0x11 // ASCII code control character ctrl + Q ++ ++#define LOG_FILE_MODE 0600 ++ ++#define SOCKET_DIRECTORY_MODE 0600 ++#define ATTACH_FIFOPATH_MODE 0600 ++ + int init_shim_log(void); + ++int init_attach_log(void); ++ + void signal_routine(int sig); + + /** +@@ -90,18 +105,33 @@ void signal_routine(int sig); + } \ + } while (0) + ++struct shim_fifos_fd { ++ char *in_fifo; ++ char *out_fifo; ++ char *err_fifo; ++ int in_fd; ++ int out_fd; ++ int err_fd; ++}; ++ + char *read_text_file(const char *path); + + int cmd_combined_output(const char *binary, const char *params[], void *output, int *output_len); + + void write_message(const char *level, const char *fmt, ...); + ++void write_attach_message(const char *level, const char *fmt, ...); ++ + int generate_random_str(char *id, size_t len); + + void close_fd(int *pfd); + + int open_no_inherit(const char *path, int flag, mode_t mode); + ++struct isula_linked_list *get_attach_fifo_item(int fd, struct isula_linked_list *list); ++ ++void free_shim_fifos_fd(struct shim_fifos_fd *item); ++ + #ifdef __cplusplus + } + #endif +diff --git a/src/cmd/isulad-shim/main.c b/src/cmd/isulad-shim/main.c +index 454011d0..deb07271 100644 +--- a/src/cmd/isulad-shim/main.c ++++ b/src/cmd/isulad-shim/main.c +@@ -145,6 +145,20 @@ int main(int argc, char **argv) + } + } + ++ if (p->state->attach_socket != NULL) { ++ ret = prepare_attach_socket(p); ++ if (ret != SHIM_OK) { ++ write_message(ERR_MSG, "failed to prepare attach socket:%d", ret); ++ exit(EXIT_FAILURE); ++ } ++ ++ ret = init_attach_log(); ++ if (ret != SHIM_OK) { ++ write_message(ERR_MSG, "failed to init shim attach log"); ++ exit(EXIT_FAILURE); ++ } ++ } ++ + /* start epoll for io copy */ + ret = process_io_start(p, &tid_epoll); + if (ret != SHIM_OK) { +diff --git a/src/cmd/isulad-shim/process.c b/src/cmd/isulad-shim/process.c +index 40908102..187067d2 100644 +--- a/src/cmd/isulad-shim/process.c ++++ b/src/cmd/isulad-shim/process.c +@@ -19,20 +19,22 @@ + #include + #include + #include ++#include ++#include ++#include // IWYU pragma: keep ++#include ++#include + #include + #include + #include +-#include + #include + #include + #include + #include +-#include +-#include + #include // IWYU pragma: keep +-#include // IWYU pragma: keep + #include + #include ++#include + + #include + #include +@@ -42,6 +44,8 @@ + #include + #include + #include ++#include ++#include + + #include "common.h" + #include "terminal.h" +@@ -57,7 +61,7 @@ static shim_client_process_state *load_process() + + p_state = shim_client_process_state_parse_file("process.json", NULL, &err); + if (p_state == NULL) { +- write_message(ERR_MSG, "parse process state failed"); ++ write_message(ERR_MSG, "parse process state failed: %s", err); + } + /* "err" will definitely be allocated memory in the function above */ + free(err); +@@ -168,6 +172,99 @@ static int sync_exit_cb(int fd, uint32_t events, void *cbdata, isula_epoll_descr + return EPOLL_LOOP_HANDLE_CLOSE; + } + ++static bool fifo_exists(const char *path) ++{ ++ struct stat sb; ++ int ret; ++ ++ ret = stat(path, &sb); ++ if (ret < 0) { ++ // could be something other than exist, just return false ++ return false; ++ } ++ ++ return S_ISFIFO(sb.st_mode); ++} ++ ++static int add_attach_terminal_fifos(const char *in, const char *out, const char *err, int *input_fd, process_t *p) ++{ ++ __isula_auto_close int fifofd_in = -1; ++ __isula_auto_close int fifofd_out = -1; ++ __isula_auto_close int fifofd_err = -1; ++ struct shim_fifos_fd *fifos = NULL; ++ struct isula_linked_list *node = NULL; ++ ++ bool invalid = (in != NULL && !fifo_exists(in)) || (out != NULL && !fifo_exists(out)) || (err != NULL && ++ !fifo_exists(err)); ++ if (invalid) { ++ write_attach_message(ERR_MSG, "File %s or %s or %s does not refer to a FIFO", in, out, err); ++ return -1; ++ } ++ ++ if (in != NULL) { ++ fifofd_in = isula_file_open(in, O_RDONLY | O_NONBLOCK | O_CLOEXEC, 0); ++ if (fifofd_in < 0) { ++ write_attach_message(ERR_MSG, "Failed to open FIFO: %s", in); ++ return -1; ++ } ++ } ++ ++ if (out != NULL) { ++ fifofd_out = isula_file_open(out, O_WRONLY | O_NONBLOCK | O_CLOEXEC, 0); ++ if (fifofd_out < 0) { ++ write_attach_message(ERR_MSG, "Failed to open FIFO: %s", out); ++ return -1; ++ } ++ } ++ ++ if (err != NULL) { ++ fifofd_err = isula_file_open(err, O_WRONLY | O_NONBLOCK | O_CLOEXEC, 0); ++ if (fifofd_err < 0) { ++ write_attach_message(ERR_MSG, "Failed to open FIFO: %s", err); ++ return -1; ++ } ++ } ++ ++ fifos = isula_common_calloc_s(sizeof(*fifos)); ++ if (fifos == NULL) { ++ write_attach_message(ERR_MSG, "Out of memory"); ++ goto err_out; ++ } ++ ++ fifos->in_fifo = isula_strdup_s(in); ++ fifos->out_fifo = isula_strdup_s(out); ++ fifos->err_fifo = isula_strdup_s(err); ++ ++ fifos->in_fd = isula_transfer_fd(fifofd_in); ++ fifos->out_fd = isula_transfer_fd(fifofd_out); ++ fifos->err_fd = isula_transfer_fd(fifofd_err); ++ node = isula_common_calloc_s(sizeof(struct isula_linked_list)); ++ if (node == NULL) { ++ write_attach_message(ERR_MSG, "Out of memory"); ++ goto err_out; ++ } ++ ++ node->elem = fifos; ++ isula_linked_list_add(p->attach_fifos, node); ++ ++ if (input_fd != NULL) { ++ *input_fd = fifos->in_fd; ++ } ++ ++ return 0; ++err_out: ++ free_shim_fifos_fd(fifos); ++ return -1; ++} ++ ++static void remove_attach_terminal_fifos(isula_epoll_descr_t *descr, struct isula_linked_list *item) ++{ ++ struct shim_fifos_fd *elem = (struct shim_fifos_fd *)item->elem; ++ isula_epoll_remove_handler(descr, elem->in_fd); ++ isula_linked_list_del(item); ++ free_shim_fifos_fd(elem); ++} ++ + static int stdin_cb(int fd, uint32_t events, void *cbdata, isula_epoll_descr_t *descr) + { + process_t *p = (process_t *)cbdata; +@@ -210,6 +307,57 @@ static int stdin_cb(int fd, uint32_t events, void *cbdata, isula_epoll_descr_t * + return EPOLL_LOOP_HANDLE_CONTINUE; + } + ++static int attach_stdin_cb(int fd, uint32_t events, void *cbdata, isula_epoll_descr_t *descr) ++{ ++ process_t *p = (process_t *)cbdata; ++ int r_count = 0; ++ int w_count = 0; ++ int *fd_to = NULL; ++ struct isula_linked_list *item; ++ ++ if (events & EPOLLHUP) { ++ write_message(ERR_MSG, "attach stdin %d received the EPOLLHUP event", fd); ++ goto err_out; ++ } ++ ++ if (!(events & EPOLLIN)) { ++ return EPOLL_LOOP_HANDLE_CONTINUE; ++ } ++ ++ (void)memset(p->buf, 0, DEFAULT_IO_COPY_BUF); ++ ++ r_count = isula_file_read_nointr(fd, p->buf, DEFAULT_IO_COPY_BUF); ++ if (r_count <= 0) { ++ write_message(ERR_MSG, "failed to read from attach stdin %d, error:%d", fd, SHIM_SYS_ERR(errno)); ++ goto err_out; ++ } ++ ++ if (p->state->terminal) { ++ fd_to = &(p->recv_fd); ++ } else { ++ fd_to = &(p->shim_io->in); ++ } ++ ++ if (fd_to == NULL || *fd_to == -1) { ++ return EPOLL_LOOP_HANDLE_CONTINUE; ++ } ++ w_count = isula_file_total_write_nointr(*fd_to, p->buf, r_count); ++ if (w_count < 0) { ++ /* When any error occurs, set the write fd -1 */ ++ write_message(WARN_MSG, "write in_fd %d error:%d", *fd_to, SHIM_SYS_ERR(errno)); ++ close(*fd_to); ++ *fd_to = -1; ++ } ++ ++ return EPOLL_LOOP_HANDLE_CONTINUE; ++err_out: ++ item = get_attach_fifo_item(fd, p->attach_fifos); ++ if (item != NULL && item->elem != NULL) { ++ remove_attach_terminal_fifos(descr, item); ++ } ++ return EPOLL_LOOP_HANDLE_CONTINUE; ++} ++ + static int stdout_cb(int fd, uint32_t events, void *cbdata, isula_epoll_descr_t *descr) + { + process_t *p = (process_t *)cbdata; +@@ -237,16 +385,29 @@ static int stdout_cb(int fd, uint32_t events, void *cbdata, isula_epoll_descr_t + + shim_write_container_log_file(p->terminal, STDID_OUT, p->buf, r_count); + +- if (p->isulad_io->out == -1) { ++ if (p->isulad_io->out != -1) { ++ w_count = isula_file_total_write_nointr(p->isulad_io->out, p->buf, r_count); ++ if (w_count < 0) { ++ /* When any error occurs, set the write fd -1 */ ++ write_message(WARN_MSG, "write out_fd %d error:%d", p->isulad_io->out, SHIM_SYS_ERR(errno)); ++ close(p->isulad_io->out); ++ p->isulad_io->out = -1; ++ } ++ } ++ ++ if (isula_linked_list_empty(p->attach_fifos)) { + return EPOLL_LOOP_HANDLE_CONTINUE; + } + +- w_count = isula_file_total_write_nointr(p->isulad_io->out, p->buf, r_count); +- if (w_count < 0) { +- /* When any error occurs, set the write fd -1 */ +- write_message(WARN_MSG, "write out_fd %d error:%d", p->isulad_io->out, SHIM_SYS_ERR(errno)); +- close(p->isulad_io->out); +- p->isulad_io->out = -1; ++ struct isula_linked_list *it = NULL; ++ struct isula_linked_list *next = NULL; ++ ++ isula_linked_list_for_each_safe(it, p->attach_fifos, next) { ++ struct shim_fifos_fd *elem = (struct shim_fifos_fd *)it->elem; ++ w_count = isula_file_total_write_nointr(elem->out_fd, p->buf, r_count); ++ if (w_count < 0) { ++ remove_attach_terminal_fifos(descr, it); ++ } + } + + return EPOLL_LOOP_HANDLE_CONTINUE; +@@ -279,16 +440,29 @@ static int stderr_cb(int fd, uint32_t events, void *cbdata, isula_epoll_descr_t + + shim_write_container_log_file(p->terminal, STDID_ERR, p->buf, r_count); + +- if (p->isulad_io->err == -1) { ++ if (p->isulad_io->err != -1) { ++ w_count = isula_file_total_write_nointr(p->isulad_io->err, p->buf, r_count); ++ if (w_count < 0) { ++ /* When any error occurs, set the write fd -1 */ ++ write_message(WARN_MSG, "write err_fd %d error:%d", p->isulad_io->err, SHIM_SYS_ERR(errno)); ++ close(p->isulad_io->err); ++ p->isulad_io->err = -1; ++ } ++ } ++ ++ if (isula_linked_list_empty(p->attach_fifos)) { + return EPOLL_LOOP_HANDLE_CONTINUE; + } + +- w_count = isula_file_total_write_nointr(p->isulad_io->err, p->buf, r_count); +- if (w_count < 0) { +- /* When any error occurs, set the write fd -1 */ +- write_message(WARN_MSG, "write err_fd %d error:%d", p->isulad_io->err, SHIM_SYS_ERR(errno)); +- close(p->isulad_io->err); +- p->isulad_io->err = -1; ++ struct isula_linked_list *it = NULL; ++ struct isula_linked_list *next = NULL; ++ ++ isula_linked_list_for_each_safe(it, p->attach_fifos, next) { ++ struct shim_fifos_fd *elem = (struct shim_fifos_fd *)it->elem; ++ w_count = isula_file_total_write_nointr(elem->out_fd, p->buf, r_count); ++ if (w_count < 0) { ++ remove_attach_terminal_fifos(descr, it); ++ } + } + + return EPOLL_LOOP_HANDLE_CONTINUE; +@@ -326,6 +500,159 @@ static int resize_cb(int fd, uint32_t events, void *cbdata, isula_epoll_descr_t + return EPOLL_LOOP_HANDLE_CONTINUE; + } + ++static bool attach_fifopath_security_check(process_t *p, const char *fifopath) ++{ ++ struct stat st = { 0 }; ++ char real_path[PATH_MAX] = { 0 }; ++ ++ if (isula_validate_absolute_path(fifopath) != 0) { ++ write_attach_message(ERR_MSG, "attach fifo path \"%s\" must be an valid absolute path", fifopath); ++ return false; ++ } ++ ++ if (realpath(fifopath, real_path) == NULL) { ++ write_attach_message(ERR_MSG, "Failed to get realpath for '%s': %s.", real_path, SHIM_SYS_ERR(errno)); ++ return false; ++ } ++ ++ if (!isula_has_prefix(real_path, p->workdir)) { ++ write_attach_message(ERR_MSG, "attach fifo path \"%s\" must be under the state path", real_path, p->workdir); ++ return false; ++ } ++ ++ if (lstat(real_path, &st) != 0) { ++ write_attach_message(ERR_MSG, "Failed to lstat %s : %s", real_path, SHIM_SYS_ERR(errno)); ++ return false; ++ } ++ ++ if (!S_ISFIFO(st.st_mode)) { ++ write_attach_message(ERR_MSG, "attach fifo path \"%s\" must be an FIFO", real_path); ++ return false; ++ } ++ ++ if ((st.st_mode & 0777) != ATTACH_FIFOPATH_MODE) { ++ write_attach_message(ERR_MSG, "attach fifo path \"%s\" permission invalid", real_path); ++ return false; ++ } ++ ++ if (st.st_uid != 0) { ++ write_attach_message(ERR_MSG, "attach fifo path \"%s\" uid invalid", real_path); ++ return false; ++ } ++ ++ return true; ++} ++ ++// attach_cb needs to read the content from communication fd and parse it. ++// at the same time, it also needs to establish a connection between the attach fd and the container fd. ++// 1. if it fails, it needs to write an error message to attach log file, ++// and write -1 to connection fd to let isulad know that it has failed. ++// 2. if it succeeds, write 0 to let isulad know that it is ready. ++// attach_cb returns EPOLL_LOOP_HANDLE_CONTINUE regardless of success or failure, ++// because whether the attach operation is successful or not does not affect the first process of the container. ++static int attach_cb(int fd, uint32_t events, void *cbdata, isula_epoll_descr_t *descr) ++{ ++ process_t *p = (process_t *)cbdata; ++ int r_count = 0; ++ char tmp_buf[BUFSIZ + 1] = { 0 }; ++ char *in = NULL, *out = NULL, *err = NULL; ++ int fifofd_in = -1; ++ isula_string_array *tmp_str_array = NULL; ++ int ret = 0; ++ // attach execution return value ++ int status = -1; ++ bool valid = true; ++ ++ // after receiving the event that isulad closes the connection, ++ // close the communication fd and remove it from epoll. ++ if (events & EPOLLHUP) { ++ close(fd); ++ isula_epoll_remove_handler(descr, fd); ++ return EPOLL_LOOP_HANDLE_CONTINUE; ++ } ++ ++ if (!(events & EPOLLIN)) { ++ return EPOLL_LOOP_HANDLE_CONTINUE; ++ } ++ ++ r_count = isula_file_read_nointr(fd, tmp_buf, sizeof(tmp_buf) - 1); ++ if (r_count <= 0) { ++ write_attach_message(ERR_MSG, "Failed to read msg from attach conn fd"); ++ goto out; ++ } ++ ++ // limit the number of attach connections to MAX_ATTACH_NUM ++ if (isula_linked_list_len(p->attach_fifos) >= MAX_ATTACH_NUM) { ++ write_attach_message(ERR_MSG, "The number of attach connections exceeds the limit:%d, and this connection is rejected.", ++ MAX_ATTACH_NUM); ++ goto out; ++ } ++ ++ tmp_str_array = isula_string_split_to_multi(tmp_buf, ' '); ++ if (tmp_str_array->len != 3) { ++ write_attach_message(ERR_MSG, "Invalid attach msg from isulad"); ++ goto out; ++ } ++ ++ for (int i = 0; i < tmp_str_array->len; i++) { ++ valid = valid && attach_fifopath_security_check(p, tmp_str_array->items[i]); ++ } ++ ++ if (!valid) { ++ write_attach_message(ERR_MSG, "Invalid attach fifo path from isulad"); ++ goto out; ++ } ++ ++ in = tmp_str_array->items[0]; ++ out = tmp_str_array->items[1]; ++ err = tmp_str_array->items[2]; ++ ++ if (add_attach_terminal_fifos(in, out, err, &fifofd_in, p) < 0) { ++ write_attach_message(ERR_MSG, "Failed to add attach terminal fifos"); ++ goto out; ++ } ++ ++ // attach stdin --> container stdin ++ ret = isula_epoll_add_handler(descr, fifofd_in, attach_stdin_cb, p); ++ if (ret != SHIM_OK) { ++ write_attach_message(ERR_MSG, "add fifofd_in fd %d to epoll loop failed:%d", fifofd_in, SHIM_SYS_ERR(errno)); ++ struct isula_linked_list *item = get_attach_fifo_item(fd, p->attach_fifos); ++ if (item != NULL && item->elem != NULL) { ++ remove_attach_terminal_fifos(descr, item); ++ } ++ goto out; ++ } ++ ++ status = 0; ++out: ++ isula_string_array_free(tmp_str_array); ++ (void)isula_file_write_nointr(fd, &status, sizeof(int)); ++ return EPOLL_LOOP_HANDLE_CONTINUE; ++} ++ ++// do_attach_socket_accept returns EPOLL_LOOP_HANDLE_CONTINUE regardless of success or failure, ++// because whether the attach operation is successful or not does not affect the first process of the container. ++static int do_attach_socket_accept(int fd, uint32_t events, void *cbdata, isula_epoll_descr_t *descr) ++{ ++ process_t *p = (process_t *)cbdata; ++ int conn_fd = -1; ++ int ret = SHIM_ERR; ++ ++ conn_fd = accept(p->attach_socket_fd, NULL, NULL); ++ if (conn_fd < 0) { ++ write_attach_message(ERR_MSG, "accept from fd %d failed:%d", p->attach_socket_fd, SHIM_SYS_ERR(errno)); ++ return EPOLL_LOOP_HANDLE_CONTINUE; ++ } ++ ++ ret = isula_epoll_add_handler(descr, conn_fd, attach_cb, p); ++ if (ret != SHIM_OK) { ++ write_attach_message(ERR_MSG, "add recv_fd %d to epoll loop failed:%d", conn_fd, SHIM_SYS_ERR(errno)); ++ close(conn_fd); ++ return EPOLL_LOOP_HANDLE_CONTINUE; ++ } ++ return EPOLL_LOOP_HANDLE_CONTINUE; ++} ++ + static int task_console_accept(int fd, uint32_t events, void *cbdata, isula_epoll_descr_t *descr) + { + process_t *p = (process_t *)cbdata; +@@ -399,6 +726,7 @@ static void stdio_release(int (*stdio_fd)[2]) + for (j = 0; j < 2; j++) { + if (stdio_fd[i][j] > 0) { + close(stdio_fd[i][j]); ++ stdio_fd[i][j] = -1; + } + } + } +@@ -568,24 +896,6 @@ static int open_generic_io(process_t *p, isula_epoll_descr_t *descr) + return SHIM_OK; + } + +-static int set_non_block(int fd) +-{ +- int flag = -1; +- int ret = SHIM_ERR; +- +- flag = fcntl(fd, F_GETFL, 0); +- if (flag < 0) { +- return SHIM_ERR; +- } +- +- ret = fcntl(fd, F_SETFL, flag | O_NONBLOCK); +- if (ret != 0) { +- return SHIM_ERR; +- } +- +- return SHIM_OK; +-} +- + /* + std_id: channel type + isulad_stdio: one side of the isulad fifo file +@@ -623,6 +933,14 @@ static void *io_epoll_loop(void *data) + exit(EXIT_FAILURE); + } + ++ if (p->state->attach_socket != NULL) { ++ ret = isula_epoll_add_handler(&descr, p->attach_socket_fd, do_attach_socket_accept, p); ++ if (ret != SHIM_OK) { ++ write_message(ERR_MSG, "add attach_socket_fd %d to epoll loop failed:%d", p->attach_socket_fd, SHIM_SYS_ERR(errno)); ++ exit(EXIT_FAILURE); ++ } ++ } ++ + if (p->state->terminal) { + ret = open_terminal_io(p, &descr); + } else { +@@ -651,7 +969,7 @@ static void *io_epoll_loop(void *data) + } + + if (fd_out > 0) { +- ret = set_non_block(fd_out); ++ ret = isula_set_non_block(fd_out); + if (ret != SHIM_OK) { + write_message(ERR_MSG, "set fd %d non_block failed:%d", fd_out, SHIM_SYS_ERR(errno)); + exit(EXIT_FAILURE); +@@ -666,7 +984,7 @@ static void *io_epoll_loop(void *data) + } + + if (fd_err > 0) { +- ret = set_non_block(fd_err); ++ ret = isula_set_non_block(fd_err); + if (ret != SHIM_OK) { + write_message(ERR_MSG, "set fd %d non_block failed:%d", fd_err, SHIM_SYS_ERR(errno)); + exit(EXIT_FAILURE); +@@ -807,15 +1125,19 @@ failure: + if (p->isulad_io != NULL) { + if (p->isulad_io->in > 0) { + close(p->isulad_io->in); ++ p->isulad_io->in = -1; + } + if (p->isulad_io->out > 0) { + close(p->isulad_io->out); ++ p->isulad_io->out = -1; + } + if (p->isulad_io->err > 0) { + close(p->isulad_io->err); ++ p->isulad_io->err = -1; + } + if (p->isulad_io->resize > 0) { + close(p->isulad_io->resize); ++ p->isulad_io->resize = -1; + } + free(p->isulad_io); + p->isulad_io = NULL; +@@ -937,6 +1259,13 @@ process_t *new_process(char *id, char *bundle, char *runtime) + goto failure; + } + ++ p->attach_fifos = isula_common_calloc_s(sizeof(struct isula_linked_list)); ++ if (p->attach_fifos == NULL) { ++ goto failure; ++ } ++ ++ isula_linked_list_init(p->attach_fifos); ++ + return p; + + failure: +@@ -1368,3 +1697,49 @@ int process_signal_handle_routine(process_t *p, const pthread_t tid_epoll, const + (void)isula_file_write_nointr(STDOUT_FILENO, &status, sizeof(int)); + return SHIM_OK; + } ++ ++int prepare_attach_socket(process_t *p) ++{ ++ struct sockaddr_un addr; ++ int ret = -1; ++ ++ if (strlen(p->state->attach_socket) >= sizeof(addr.sun_path)) { ++ write_message(ERR_MSG, "Invalid attach socket path: %s", p->state->attach_socket); ++ return SHIM_ERR; ++ } ++ ++ p->attach_socket_fd = socket(AF_UNIX, SOCK_STREAM, 0); ++ if (p->attach_socket_fd < 0) { ++ write_message(ERR_MSG, "Failed to create socket:%d", SHIM_SYS_ERR(errno)); ++ return SHIM_ERR; ++ } ++ ++ (void)memset(&addr, 0, sizeof(addr)); ++ addr.sun_family = AF_UNIX; ++ (void)strncpy(addr.sun_path, p->state->attach_socket, sizeof(addr.sun_path) - 1); ++ ++ ret = bind(p->attach_socket_fd, (struct sockaddr *)&addr, sizeof(addr)); ++ if (ret < 0) { ++ write_message(ERR_MSG, "bind console fd failed:%d", SHIM_SYS_ERR(errno)); ++ return SHIM_ERR; ++ } ++ ++ ret = chmod(p->state->attach_socket, SOCKET_DIRECTORY_MODE); ++ if (ret != 0) { ++ write_message(ERR_MSG, "Failed to chmod for socket: %s", p->state->attach_socket); ++ return SHIM_ERR; ++ } ++ ++ //If the backlog argument is greater than the value in ++ // /proc/sys/net/core/somaxconn, then it is silently capped to that ++ // value. Since Linux 5.4, the default in this file is 4096; in ++ // earlier kernels, the default value is 128. Before Linux 2.4.25, ++ // this limit was a hard coded value, SOMAXCONN, with the value 128. ++ // The maximum number of attach we allow here is MAX_ATTACH_NUM, so just use it directly ++ ret = listen(p->attach_socket_fd, MAX_ATTACH_NUM); ++ if (ret < 0) { ++ write_message(ERR_MSG, "listen console fd failed:%d", SHIM_SYS_ERR(errno)); ++ return SHIM_ERR; ++ } ++ return SHIM_OK; ++} +\ No newline at end of file +diff --git a/src/cmd/isulad-shim/process.h b/src/cmd/isulad-shim/process.h +index 280d9874..5607316c 100644 +--- a/src/cmd/isulad-shim/process.h ++++ b/src/cmd/isulad-shim/process.h +@@ -19,7 +19,8 @@ + #include + #include + #include +-#include "isula_libutils/shim_client_process_state.h" ++#include ++#include "isula_libutils/utils_linked_list.h" + #include "terminal.h" + + #ifdef __cplusplus +@@ -49,6 +50,7 @@ typedef struct process { + char *root_path; + int io_loop_fd; + int exit_fd; ++ int attach_socket_fd; // the server socket fd that establishes a connection with isulad + int ctr_pid; + int sync_fd; + int listen_fd; +@@ -58,6 +60,7 @@ typedef struct process { + stdio_t *stdio; // shim to on runtime side, in:r out/err: w + stdio_t *shim_io; // shim io on isulad side, in: w out/err: r + stdio_t *isulad_io; // isulad io, in:r out/err: w ++ struct isula_linked_list *attach_fifos; /* isulad: fifos used to attach teminal */ + shim_client_process_state *state; + sem_t sem_mainloop; + char *buf; +@@ -70,6 +73,8 @@ typedef struct { + + process_t* new_process(char *id, char *bundle, char *runtime); + ++int prepare_attach_socket(process_t *p); ++ + int process_io_start(process_t *p, pthread_t *tid_epoll); + int create_process(process_t *p); + int process_signal_handle_routine(process_t *p, const pthread_t tid_epoll, const uint64_t timeout); +diff --git a/src/cmd/isulad-shim/terminal.c b/src/cmd/isulad-shim/terminal.c +index 0653dc45..1c063300 100644 +--- a/src/cmd/isulad-shim/terminal.c ++++ b/src/cmd/isulad-shim/terminal.c +@@ -162,7 +162,7 @@ static int shim_json_data_write(log_terminal *terminal, const char *buf, int rea + * shouldn't happen, otherwise, discard some last bytes. + */ + nret = isula_file_total_write_nointr(terminal->fd, buf, +- terminal->log_maxsize < read_count ? terminal->log_maxsize : read_count); ++ terminal->log_maxsize < read_count ? terminal->log_maxsize : read_count); + if (nret < 0) { + ret = -1; + goto out; +diff --git a/src/daemon/executor/container_cb/execution_stream.c b/src/daemon/executor/container_cb/execution_stream.c +index 7db96b19..124dcfe2 100644 +--- a/src/daemon/executor/container_cb/execution_stream.c ++++ b/src/daemon/executor/container_cb/execution_stream.c +@@ -346,6 +346,7 @@ static int container_attach_cb(const container_attach_request *request, containe + } + + params.rootpath = cont->root_path; ++ params.state = cont->state_path; + params.stdin = fifos[0]; + params.stdout = fifos[1]; + params.stderr = fifos[2]; +diff --git a/src/daemon/modules/api/runtime_api.h b/src/daemon/modules/api/runtime_api.h +index edb33d02..3c2100f5 100644 +--- a/src/daemon/modules/api/runtime_api.h ++++ b/src/daemon/modules/api/runtime_api.h +@@ -161,6 +161,7 @@ typedef struct _rt_resume_params_t { + + typedef struct _rt_attach_params_t { + const char *rootpath; ++ const char *state; + const char *stdin; + const char *stdout; + const char *stderr; +diff --git a/src/daemon/modules/runtime/isula/isula_rt_ops.c b/src/daemon/modules/runtime/isula/isula_rt_ops.c +index cb1ee26f..1787170b 100644 +--- a/src/daemon/modules/runtime/isula/isula_rt_ops.c ++++ b/src/daemon/modules/runtime/isula/isula_rt_ops.c +@@ -18,6 +18,10 @@ + #include "isula_rt_ops.h" + #include + #include ++#include ++#include ++#include ++#include + #include + #include + #include +@@ -26,6 +30,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -52,9 +57,11 @@ + + #define SHIM_BINARY "isulad-shim" + #define RESIZE_FIFO_NAME "resize_fifo" ++#define ATTACH_SOCKET "attach_socket.sock" + #define SHIM_LOG_SIZE ((BUFSIZ - 100) / 2) + #define RESIZE_DATA_SIZE 100 + #define PID_WAIT_TIME 120 ++#define ATTACH_WAIT_TIME 120 + #define SHIM_EXIT_TIMEOUT 2 + + // file name formats of cgroup resources json +@@ -223,6 +230,19 @@ static void show_shim_runtime_errlog(const char *workdir) + isulad_set_error_message(buf); + } + ++static void show_shim_attach_errlog(const char *workdir) ++{ ++ char buf[SHIM_LOG_SIZE] = { 0 }; ++ ++ if (g_isulad_errmsg != NULL) { ++ return; ++ } ++ ++ get_err_message(buf, sizeof(buf), workdir, "attach-log.json"); ++ ERROR("shim-log: %s", buf); ++ isulad_set_error_message("shim-log error:\n%s\n", buf); ++} ++ + bool rt_isula_detect(const char *runtime) + { + if (runtime != NULL && (strcasecmp(runtime, "lcr") != 0)) { +@@ -463,8 +483,9 @@ static void runtime_exec_param_init(runtime_exec_info *rei) + } + } + +-static int runtime_exec_info_init(runtime_exec_info *rei, const char *workdir, const char *root_path, const char *runtime, const char *subcmd, +- const char **opts, size_t opts_len, const char *id, char **params, size_t params_num) ++static int runtime_exec_info_init(runtime_exec_info *rei, const char *workdir, const char *root_path, ++ const char *runtime, const char *subcmd, const char **opts, size_t opts_len, const char *id, char **params, ++ size_t params_num) + { + int ret = 0; + rei->workdir = workdir; +@@ -1012,6 +1033,7 @@ int rt_isula_create(const char *id, const char *runtime, const rt_create_params_ + size_t runtime_args_len = 0; + int ret = 0; + char workdir[PATH_MAX] = { 0 }; ++ char attach_socket[PATH_MAX] = { 0 }; + shim_client_process_state p = { 0 }; + int shim_exit_code = 0; + int nret = 0; +@@ -1034,6 +1056,13 @@ int rt_isula_create(const char *id, const char *runtime, const rt_create_params_ + goto out; + } + ++ nret = snprintf(attach_socket, sizeof(attach_socket), "%s/%s", workdir, ATTACH_SOCKET); ++ if (nret < 0 || (size_t)nret >= sizeof(attach_socket)) { ++ INFO("Failed to get full attach socket path"); ++ ret = -1; ++ goto out; ++ } ++ + p.exit_fifo = (char *)params->exit_fifo; + p.open_tty = params->tty; + p.open_stdin = params->open_stdin; +@@ -1042,6 +1071,7 @@ int rt_isula_create(const char *id, const char *runtime, const rt_create_params_ + p.isulad_stderr = (char *)params->stderr; + p.runtime_args = (char **)runtime_args; + p.runtime_args_len = runtime_args_len; ++ p.attach_socket = attach_socket; + copy_process(&p, config->process); + copy_annotations(&p, config->annotations); + +@@ -1224,7 +1254,7 @@ static bool fg_exec(const rt_exec_params_t *params) + return false; + } + +-static char *try_generate_exec_id() ++static char *try_generate_random_id() + { + char *id = NULL; + +@@ -1324,7 +1354,7 @@ int rt_isula_exec(const char *id, const char *runtime, const rt_exec_params_t *p + if (params->suffix != NULL) { + exec_id = util_strdup_s(params->suffix); + } else { +- exec_id = try_generate_exec_id(); ++ exec_id = try_generate_random_id(); + } + if (exec_id == NULL) { + ERROR("Out of memory or generate exec id failed"); +@@ -1423,13 +1453,133 @@ out: + return ret; + } + +-int rt_isula_attach(const char *id, const char *runtime, const rt_attach_params_t *params) ++static int get_container_attach_statuscode(const char *workdir, int attach_shim_fd) + { +- ERROR("isula attach not support on isulad-shim"); +- isulad_set_error_message("isula attach not support on isulad-shim"); ++ int status_code = 0; ++ int ret = -1; ++ struct timespec beg = { 0 }; ++ struct timespec end = { 0 }; ++ ++ if (clock_gettime(CLOCK_MONOTONIC, &beg) != 0) { ++ ERROR("Failed get time"); ++ return -1; ++ } ++ ++ while (true) { ++ if (clock_gettime(CLOCK_MONOTONIC, &end) != 0) { ++ ERROR("Failed get time"); ++ return -1; ++ } ++ if (end.tv_sec - beg.tv_sec > ATTACH_WAIT_TIME) { ++ ERROR("Wait container attach exitcode timeout"); ++ return -1; ++ } ++ ret = util_read_nointr(attach_shim_fd, &status_code, sizeof(int)); ++ if (ret <= 0) { ++ if (shim_alive(workdir)) { ++ // wait 100 millisecond to read exit code ++ util_usleep_nointerupt(100000); ++ continue; ++ } ++ ERROR("Failed read pid from dead shim %s", workdir); ++ return -1; ++ } ++ return status_code; /* success */ ++ } + return -1; + } + ++static int get_attach_socketfd(const char *attach_socket, int *socket_fd) ++{ ++ struct sockaddr_un addr = { 0 }; ++ __isula_auto_close int tmp_socket = -1; ++ ++ if (strlen(attach_socket) >= sizeof(addr.sun_path)) { ++ SYSERROR("Invalid attach socket path: %s", attach_socket); ++ return -1; ++ } ++ ++ tmp_socket = socket(AF_UNIX, SOCK_STREAM, 0); ++ if (tmp_socket < 0) { ++ SYSERROR("Failed to create attach socket"); ++ return -1; ++ } ++ ++ if (isula_set_non_block(tmp_socket) < 0) { ++ SYSERROR("Failed to set socket non block"); ++ return -1; ++ } ++ ++ (void)memset(&addr, 0, sizeof(addr)); ++ addr.sun_family = AF_UNIX; ++ (void)strcpy(addr.sun_path, attach_socket); ++ ++ if (connect(tmp_socket, (void *)&addr, sizeof(addr)) < 0) { ++ SYSERROR("Failed to connect attach socket: %s", attach_socket); ++ return -1; ++ } ++ *socket_fd = isula_transfer_fd(tmp_socket); ++ return 0; ++} ++ ++int rt_isula_attach(const char *id, const char *runtime, const rt_attach_params_t *params) ++{ ++ int ret = 0; ++ int len = 0; ++ int status_code = 0; ++ __isula_auto_close int socket_fd = -1; ++ char buf[BUFSIZ] = { 0 }; ++ char workdir[PATH_MAX] = { 0 }; ++ char attach_socket[PATH_MAX] = { 0 }; ++ ++ if (id == NULL || runtime == NULL || params == NULL) { ++ ERROR("Null argument"); ++ return -1; ++ } ++ ++ ret = snprintf(workdir, sizeof(workdir), "%s/%s", params->state, id); ++ if (ret < 0 || (size_t)ret >= sizeof(workdir)) { ++ ERROR("Failed join exec full path"); ++ return -1; ++ } ++ ++ // the communication format between isulad and isulad-shim attach is: ++ // stdin-path stdout-path stderr-path ++ len = snprintf(buf, sizeof(buf), "%s %s %s", params->stdin, params->stdout, params->stderr); ++ if (len < 0 || (size_t)len >= sizeof(buf)) { ++ ERROR("Failed to snprintf string"); ++ return -1; ++ } ++ ++ ret = snprintf(attach_socket, sizeof(attach_socket), "%s/%s", workdir, ATTACH_SOCKET); ++ if (ret < 0 || (size_t)ret >= sizeof(attach_socket)) { ++ ERROR("Failed to get full attach socket path"); ++ return -1; ++ } ++ ++ ret = get_attach_socketfd(attach_socket, &socket_fd); ++ if (ret < 0) { ++ ERROR("Failed to get attach socketfd"); ++ return -1; ++ } ++ ++ DEBUG("write %s to attach fd", buf); ++ ++ ret = isula_file_write_nointr(socket_fd, buf, len); ++ if (ret < 0) { ++ SYSERROR("Failed to write attach isulad fd"); ++ return -1; ++ } ++ ++ status_code = get_container_attach_statuscode(workdir, socket_fd); ++ if (status_code < 0) { ++ show_shim_attach_errlog(workdir); ++ return -1; ++ } ++ ++ return 0; ++} ++ + static int to_engine_resources_unified(const host_config *hostconfig, shim_client_cgroup_resources *cr) + { + int i; +@@ -1673,7 +1823,7 @@ static int parse_ps_data(char *stdout_msg, rt_listpids_out_t *out) + } + + static int runtime_call_ps(const char *workdir, const char *runtime, const char *id, +- rt_listpids_out_t *out) ++ rt_listpids_out_t *out) + { + __isula_auto_free char *stdout_msg = NULL; + __isula_auto_free char *stderr_msg = NULL; +@@ -1681,7 +1831,7 @@ static int runtime_call_ps(const char *workdir, const char *runtime, const char + int ret = 0; + int nret = 0; + char *params[PARAM_NUM] = { 0 }; +- const char *opts[2] = { "--format" , "json" }; ++ const char *opts[2] = { "--format", "json" }; + char root_path[PATH_MAX] = { 0 }; + + nret = snprintf(root_path, PATH_MAX, "%s/%s", workdir, runtime); +diff --git a/src/utils/cutils/error.h b/src/utils/cutils/error.h +index 088ed261..75eae760 100644 +--- a/src/utils/cutils/error.h ++++ b/src/utils/cutils/error.h +@@ -44,8 +44,10 @@ extern "C" { + /* err in runtime module */ \ + XX(ERR_RUNTIME, DEF_ERR_RUNTIME_STR) \ + \ ++ /* info for detach */ \ ++ XX(INFO_DETACH, "Attach detach") \ + /* err max */ \ +- XX(ERR_UNKNOWN, "Unknown error") ++ XX(ERR_UNKNOWN, "Unknown error") + + #define ISULAD_ERRNO_GEN(n, s) ISULAD_##n, + typedef enum { ISULAD_ERRNO_MAP(ISULAD_ERRNO_GEN) } isulad_errno_t; +-- +2.42.0 + diff --git a/0011-remove-usage-of-strerror-with-user-defined-errno.patch b/0011-remove-usage-of-strerror-with-user-defined-errno.patch deleted file mode 100644 index 7626e6a..0000000 --- a/0011-remove-usage-of-strerror-with-user-defined-errno.patch +++ /dev/null @@ -1,891 +0,0 @@ -From 16a4b6f334e4e81615a71cf7930158fb1bee5a12 Mon Sep 17 00:00:00 2001 -From: haozi007 -Date: Wed, 6 Sep 2023 15:05:29 +0800 -Subject: [PATCH 11/32] remove usage of strerror with user defined errno - -Signed-off-by: haozi007 ---- - src/cmd/command_parser.c | 12 ++++++---- - src/cmd/isula/base/create.c | 3 ++- - src/cmd/isula/isula_host_spec.c | 9 ++++--- - src/cmd/isulad/main.c | 8 ++++--- - src/cmd/options/opt_ulimit.c | 6 +++-- - src/daemon/entry/cri/cni_network_plugin.cc | 9 ++++--- - src/daemon/entry/cri/sysctl_tools.c | 14 +++++++---- - .../v1/v1_cri_container_manager_service.cc | 4 ++-- - .../v1/v1_cri_pod_sandbox_manager_service.cc | 3 ++- - src/daemon/executor/network_cb/network_cb.c | 6 +++-- - src/daemon/modules/image/oci/oci_image.c | 6 +++-- - .../oci/storage/image_store/image_store.c | 6 +++-- - .../graphdriver/devmapper/deviceset.c | 19 +++++++++------ - .../storage/layer_store/graphdriver/driver.c | 9 ++++--- - .../graphdriver/overlay2/driver_overlay2.c | 17 ++++++++----- - .../oci/storage/layer_store/layer_store.c | 6 +++-- - .../remote_layer_support/remote_support.c | 6 +++-- - .../oci/storage/rootfs_store/rootfs_store.c | 6 +++-- - .../modules/image/oci/storage/storage.c | 6 +++-- - .../cni_operator/libcni/invoke/libcni_errno.c | 8 ------- - .../cni_operator/libcni/invoke/libcni_errno.h | 2 -- - .../cni_operator/libcni/libcni_cached.c | 3 ++- - .../modules/network/native/adaptor_native.c | 17 ++++++++----- - src/daemon/modules/plugin/plugin.c | 24 ++++++++++++------- - src/daemon/modules/service/service_network.c | 6 ++--- - src/daemon/sandbox/sandbox.cc | 8 ++++--- - src/utils/cutils/network_namespace.c | 3 ++- - src/utils/cutils/utils_file.c | 4 +++- - 28 files changed, 144 insertions(+), 86 deletions(-) - -diff --git a/src/cmd/command_parser.c b/src/cmd/command_parser.c -index ac353b40..1ad1d92b 100644 ---- a/src/cmd/command_parser.c -+++ b/src/cmd/command_parser.c -@@ -546,7 +546,8 @@ int command_convert_u16(command_option_t *option, const char *arg) - } - ret = util_safe_u16(arg, option->data); - if (ret != 0) { -- COMMAND_ERROR("Invalid value \"%s\" for flag --%s: %s", arg, option->large, strerror(-ret)); -+ errno = -ret; -+ CMD_SYSERROR("Invalid value \"%s\" for flag --%s", arg, option->large); - return EINVALIDARGS; - } - return 0; -@@ -561,7 +562,8 @@ int command_convert_llong(command_option_t *opt, const char *arg) - } - ret = util_safe_llong(arg, opt->data); - if (ret != 0) { -- COMMAND_ERROR("Invalid value \"%s\" for flag --%s: %s", arg, opt->large, strerror(-ret)); -+ errno = -ret; -+ CMD_SYSERROR("Invalid value \"%s\" for flag --%s", arg, opt->large); - return EINVALIDARGS; - } - return 0; -@@ -575,7 +577,8 @@ int command_convert_uint(command_option_t *opt, const char *arg) - } - ret = util_safe_uint(arg, opt->data); - if (ret != 0) { -- COMMAND_ERROR("Invalid value \"%s\" for flag --%s: %s", arg, opt->large, strerror(-ret)); -+ errno = -ret; -+ CMD_SYSERROR("Invalid value \"%s\" for flag --%s", arg, opt->large); - return EINVALIDARGS; - } - return 0; -@@ -590,7 +593,8 @@ int command_convert_int(command_option_t *option, const char *arg) - } - ret = util_safe_int(arg, option->data); - if (ret != 0) { -- COMMAND_ERROR("Invalid value \"%s\" for flag --%s: %s", arg, option->large, strerror(-ret)); -+ errno = -ret; -+ CMD_SYSERROR("Invalid value \"%s\" for flag --%s", arg, option->large); - return EINVALIDARGS; - } - return 0; -diff --git a/src/cmd/isula/base/create.c b/src/cmd/isula/base/create.c -index aa90c5d6..cd0d4abd 100644 ---- a/src/cmd/isula/base/create.c -+++ b/src/cmd/isula/base/create.c -@@ -2032,7 +2032,8 @@ static int create_check_hugetlbs(const struct client_arguments *args) - } - ret = util_parse_byte_size_string(limit, &limitvalue); - if (ret != 0) { -- COMMAND_ERROR("Invalid hugetlb limit:%s:%s", limit, strerror(-ret)); -+ errno = -ret; -+ CMD_SYSERROR("Invalid hugetlb limit:%s", limit); - free(dup); - ret = -1; - goto out; -diff --git a/src/cmd/isula/isula_host_spec.c b/src/cmd/isula/isula_host_spec.c -index 9fa08bd2..6f39588d 100644 ---- a/src/cmd/isula/isula_host_spec.c -+++ b/src/cmd/isula/isula_host_spec.c -@@ -66,7 +66,8 @@ static bool parse_restart_policy(const char *policy, host_config_restart_policy - } - nret = util_safe_int(dotpos, &(*rp)->maximum_retry_count); - if (nret != 0) { -- COMMAND_ERROR("Maximum retry count must be an integer: %s", strerror(-nret)); -+ errno = -nret; -+ CMD_SYSERROR("Maximum retry count must be an integer"); - goto cleanup; - } - } -@@ -724,7 +725,8 @@ static host_config_hugetlbs_element *pase_hugetlb_limit(const char *input) - - ret = util_parse_byte_size_string(limit_value, &tconverted); - if (ret != 0 || tconverted < 0) { -- COMMAND_ERROR("Parse limit value: %s failed:%s", limit_value, strerror(-ret)); -+ errno = -ret; -+ CMD_SYSERROR("Parse limit value: %s failed", limit_value); - goto free_out; - } - limit = (uint64_t)tconverted; -@@ -733,7 +735,8 @@ static host_config_hugetlbs_element *pase_hugetlb_limit(const char *input) - tconverted = 0; - ret = util_parse_byte_size_string(pagesize, &tconverted); - if (ret != 0 || tconverted < 0) { -- COMMAND_ERROR("Parse pagesize error.Invalid hugepage size: %s: %s", pagesize, strerror(-ret)); -+ errno = -ret; -+ CMD_SYSERROR("Parse pagesize error.Invalid hugepage size: %s", pagesize); - goto free_out; - } - page = (uint64_t)tconverted; -diff --git a/src/cmd/isulad/main.c b/src/cmd/isulad/main.c -index 39cde6aa..8369f9e2 100644 ---- a/src/cmd/isulad/main.c -+++ b/src/cmd/isulad/main.c -@@ -632,8 +632,9 @@ static int parse_time_duration(const char *value, unsigned int *seconds) - *(num_str + len - 1) = '\0'; - ret = util_safe_uint(num_str, &tmp); - if (ret < 0) { -- ERROR("Illegal unsigned integer: %s", num_str); -- COMMAND_ERROR("Illegal unsigned integer:%s:%s", num_str, strerror(-ret)); -+ errno = -ret; -+ SYSERROR("Illegal unsigned integer: %s", num_str); -+ COMMAND_ERROR("Illegal unsigned integer:%s", num_str); - ret = -1; - goto out; - } -@@ -1407,7 +1408,8 @@ static int create_mount_flock_file(const struct service_arguments *args) - // recreate mount flock file - // and make file uid/gid and permission correct - if (!util_force_remove_file(cleanpath, &err)) { -- ERROR("Failed to delete %s, error: %s. Please delete %s manually.", path, strerror(err), path); -+ errno = err; -+ SYSERROR("Failed to delete %s. Please delete %s manually.", path, path); - return -1; - } - } -diff --git a/src/cmd/options/opt_ulimit.c b/src/cmd/options/opt_ulimit.c -index 55912a16..6853c0d9 100644 ---- a/src/cmd/options/opt_ulimit.c -+++ b/src/cmd/options/opt_ulimit.c -@@ -63,7 +63,8 @@ static int parse_soft_hard_ulimit(const char *val, char **limitvals, size_t limi - // parse soft - ret = util_safe_llong(limitvals[0], &converted); - if (ret < 0) { -- COMMAND_ERROR("Invalid ulimit soft value: \"%s\", parse int64 failed: %s", val, strerror(-ret)); -+ errno = -ret; -+ CMD_SYSERROR("Invalid ulimit soft value: \"%s\", parse int64 failed", val); - ret = -1; - goto out; - } -@@ -74,7 +75,8 @@ static int parse_soft_hard_ulimit(const char *val, char **limitvals, size_t limi - converted = 0; - ret = util_safe_llong(limitvals[1], &converted); - if (ret < 0) { -- COMMAND_ERROR("Invalid ulimit hard value: \"%s\", parse int64 failed: %s", val, strerror(-ret)); -+ errno = -ret; -+ CMD_SYSERROR("Invalid ulimit hard value: \"%s\", parse int64 failed", val); - ret = -1; - goto out; - } -diff --git a/src/daemon/entry/cri/cni_network_plugin.cc b/src/daemon/entry/cri/cni_network_plugin.cc -index 1c7fea2e..c186d185 100644 ---- a/src/daemon/entry/cri/cni_network_plugin.cc -+++ b/src/daemon/entry/cri/cni_network_plugin.cc -@@ -796,7 +796,8 @@ void CniNetworkPlugin::RLockNetworkMap(Errors &error) - int ret = pthread_rwlock_rdlock(&m_netsLock); - if (ret != 0) { - error.Errorf("Failed to get read lock"); -- ERROR("Get read lock failed: %s", strerror(ret)); -+ errno = ret; -+ SYSERROR("Get read lock failed"); - } - } - -@@ -805,7 +806,8 @@ void CniNetworkPlugin::WLockNetworkMap(Errors &error) - int ret = pthread_rwlock_wrlock(&m_netsLock); - if (ret != 0) { - error.Errorf("Failed to get write lock"); -- ERROR("Get write lock failed: %s", strerror(ret)); -+ errno = ret; -+ SYSERROR("Get write lock failed"); - } - } - -@@ -814,7 +816,8 @@ void CniNetworkPlugin::UnlockNetworkMap(Errors &error) - int ret = pthread_rwlock_unlock(&m_netsLock); - if (ret != 0) { - error.Errorf("Failed to unlock"); -- ERROR("Unlock failed: %s", strerror(ret)); -+ errno = ret; -+ SYSERROR("Unlock failed"); - } - } - -diff --git a/src/daemon/entry/cri/sysctl_tools.c b/src/daemon/entry/cri/sysctl_tools.c -index 847c36e9..ac4fb226 100644 ---- a/src/daemon/entry/cri/sysctl_tools.c -+++ b/src/daemon/entry/cri/sysctl_tools.c -@@ -22,6 +22,8 @@ - #include - #include - -+#include -+ - #include "utils.h" - - int get_sysctl(const char *sysctl, char **err) -@@ -41,14 +43,16 @@ int get_sysctl(const char *sysctl, char **err) - ret = -1; - fd = util_open(fullpath, O_RDONLY, 0); - if (fd < 0) { -- if (asprintf(err, "Open %s failed: %s", sysctl, strerror(errno)) < 0) { -+ SYSWARN("Open %s failed", sysctl); -+ if (asprintf(err, "Open %s failed", sysctl) < 0) { - *err = util_strdup_s("Out of memory"); - } - goto free_out; - } - rsize = util_read_nointr(fd, buff, sizeof(buff) - 1); - if (rsize <= 0) { -- if (asprintf(err, "Read file failed: %s", strerror(errno)) < 0) { -+ SYSWARN("Read file: %s failed", sysctl); -+ if (asprintf(err, "Read file: %s failed", sysctl) < 0) { - *err = util_strdup_s("Out of memory"); - } - goto free_out; -@@ -93,14 +97,16 @@ int set_sysctl(const char *sysctl, int new_value, char **err) - ret = -1; - fd = util_open(fullpath, O_WRONLY, 0); - if (fd < 0) { -- if (asprintf(err, "Open %s failed: %s", sysctl, strerror(errno)) < 0) { -+ SYSWARN("Open %s failed", sysctl); -+ if (asprintf(err, "Open %s failed", sysctl) < 0) { - *err = util_strdup_s("Out of memory"); - } - goto free_out; - } - rsize = util_write_nointr(fd, buff, strlen(buff)); - if (rsize < 0 || (size_t)rsize != strlen(buff)) { -- if (asprintf(err, "Write new value failed: %s", strerror(errno)) < 0) { -+ SYSWARN("Write new value to %s failed", sysctl); -+ if (asprintf(err, "Write new value to %s failed", sysctl) < 0) { - *err = util_strdup_s("Out of memory"); - } - goto free_out; -diff --git a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc -index ecb7ffbd..daba21e4 100644 ---- a/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc -+++ b/src/daemon/entry/cri/v1/v1_cri_container_manager_service.cc -@@ -497,8 +497,8 @@ void ContainerManagerService::CreateContainerLogSymlink(const std::string &conta - WARN("Deleted previously existing symlink file: %s", path); - } - if (symlink(realPath, path) != 0) { -- error.Errorf("failed to create symbolic link %s to the container log file %s for container %s: %s", path, -- realPath, containerID.c_str(), strerror(errno)); -+ SYSERROR("failed to create symbolic link %s to the container log file %s for container %s", path, realPath, containerID.c_str()); -+ error.Errorf("failed to create symbolic link %s to the container log file %s for container %s", path, realPath, containerID.c_str()); - goto cleanup; - } - } else { -diff --git a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc -index d57338c8..41a02c54 100644 ---- a/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc -+++ b/src/daemon/entry/cri/v1/v1_cri_pod_sandbox_manager_service.cc -@@ -429,7 +429,8 @@ void PodSandboxManagerService::ClearCniNetwork(const std::shared_ptrrwlock); - } - if (nret != 0) { -- ERROR("Lock memory store failed: %s", strerror(nret)); -+ errno = nret; -+ SYSERROR("Lock memory store failed"); - return false; - } - -@@ -107,7 +108,8 @@ static inline void image_store_unlock() - - nret = pthread_rwlock_unlock(&g_image_store->rwlock); - if (nret != 0) { -- FATAL("Unlock memory store failed: %s", strerror(nret)); -+ errno = nret; -+ SYSERROR("Unlock memory store failed"); - } - } - -diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c -index 81e53ea7..4f19c26d 100644 ---- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c -+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c -@@ -107,8 +107,9 @@ static int handle_dm_min_free_space(char *val, struct device_set *devset) - int ret = util_parse_percent_string(val, &converted); - - if (ret != 0 || converted >= 100) { -- ERROR("Invalid min free space: '%s': %s", val, strerror(-ret)); -- isulad_set_error_message("Invalid min free space: '%s': %s", val, strerror(-ret)); -+ errno = -ret; -+ SYSERROR("Invalid min free space: '%s'", val); -+ isulad_set_error_message("Invalid min free space: '%s'", val); - return -1; - } - devset->min_free_space_percent = (uint32_t)converted; -@@ -122,8 +123,9 @@ static int handle_dm_basesize(char *val, struct device_set *devset) - int ret = util_parse_byte_size_string(val, &converted); - - if (ret != 0) { -- ERROR("Invalid size: '%s': %s", val, strerror(-ret)); -- isulad_set_error_message("Invalid size: '%s': %s", val, strerror(-ret)); -+ errno = -ret; -+ SYSERROR("Invalid size: '%s'", val); -+ isulad_set_error_message("Invalid size: '%s'", val); - return -1; - } - if (converted <= 0) { -@@ -2722,7 +2724,8 @@ static int determine_driver_capabilities(const char *version, struct device_set - - ret = util_parse_byte_size_string(tmp_str[0], &major); - if (ret != 0) { -- ERROR("devmapper: invalid size: '%s': %s", tmp_str[0], strerror(-ret)); -+ errno = -ret; -+ SYSERROR("devmapper: invalid size: '%s'", tmp_str[0]); - ret = -1; - goto out; - } -@@ -2742,7 +2745,8 @@ static int determine_driver_capabilities(const char *version, struct device_set - - ret = util_parse_byte_size_string(tmp_str[1], &minor); - if (ret != 0) { -- ERROR("devmapper: invalid size: '%s': %s", tmp_str[1], strerror(-ret)); -+ errno = -ret; -+ SYSERROR("devmapper: invalid size: '%s'", tmp_str[1]); - ret = -1; - goto out; - } -@@ -2915,7 +2919,8 @@ static int parse_storage_opt(const json_map_string_string *opts, uint64_t *size) - - ret = util_parse_byte_size_string(opts->values[i], &converted); - if (ret != 0) { -- ERROR("Invalid size: '%s': %s", opts->values[i], strerror(-ret)); -+ errno = -ret; -+ SYSERROR("Invalid size: '%s'", opts->values[i]); - ret = -1; - goto out; - } -diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.c -index b83c63b1..b1790af1 100644 ---- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.c -+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.c -@@ -86,7 +86,8 @@ static inline bool driver_rd_lock() - - nret = pthread_rwlock_rdlock(&g_graphdriver->rwlock); - if (nret != 0) { -- ERROR("Lock driver memory store failed: %s", strerror(nret)); -+ errno = nret; -+ SYSERROR("Lock driver memory store failed"); - return false; - } - -@@ -99,7 +100,8 @@ static inline bool driver_wr_lock() - - nret = pthread_rwlock_wrlock(&g_graphdriver->rwlock); - if (nret != 0) { -- ERROR("Lock driver memory store failed: %s", strerror(nret)); -+ errno = nret; -+ SYSERROR("Lock driver memory store failed"); - return false; - } - -@@ -112,7 +114,8 @@ static inline void driver_unlock() - - nret = pthread_rwlock_unlock(&g_graphdriver->rwlock); - if (nret != 0) { -- FATAL("Unlock driver memory store failed: %s", strerror(nret)); -+ errno = nret; -+ SYSERROR("Unlock driver memory store failed"); - } - } - -diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c -index b177f594..3b27076c 100644 ---- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c -+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c -@@ -134,7 +134,8 @@ static int overlay2_parse_options(struct graphdriver *driver, const char **optio - int64_t converted = 0; - ret = util_parse_byte_size_string(val, &converted); - if (ret != 0) { -- ERROR("Invalid size: '%s': %s", val, strerror(-ret)); -+ errno = -ret; -+ SYSERROR("Invalid size: '%s'", val); - ret = -1; - goto out; - } -@@ -143,7 +144,8 @@ static int overlay2_parse_options(struct graphdriver *driver, const char **optio - int64_t converted = 0; - ret = util_parse_byte_size_string(val, &converted); - if (ret != 0) { -- ERROR("Invalid size: '%s': %s", val, strerror(-ret)); -+ errno = -ret; -+ SYSERROR("Invalid size: '%s'", val); - ret = -1; - goto out; - } -@@ -152,7 +154,8 @@ static int overlay2_parse_options(struct graphdriver *driver, const char **optio - bool converted_bool = 0; - ret = util_str_to_bool(val, &converted_bool); - if (ret != 0) { -- ERROR("Invalid bool: '%s': %s", val, strerror(-ret)); -+ errno = -ret; -+ SYSERROR("Invalid bool: '%s'", val); - ret = -1; - goto out; - } -@@ -161,7 +164,8 @@ static int overlay2_parse_options(struct graphdriver *driver, const char **optio - bool converted_bool = 0; - ret = util_str_to_bool(val, &converted_bool); - if (ret != 0) { -- ERROR("Invalid bool: '%s': %s", val, strerror(-ret)); -+ errno = -ret; -+ SYSERROR("Invalid bool: '%s'", val); - ret = -1; - goto out; - } -@@ -830,8 +834,9 @@ static int set_layer_quota(const char *dir, const json_map_string_string *opts, - int64_t converted = 0; - ret = util_parse_byte_size_string(opts->values[i], &converted); - if (ret != 0) { -- ERROR("Invalid size: '%s': %s", opts->values[i], strerror(-ret)); -- isulad_set_error_message("Invalid quota size: '%s': %s", opts->values[i], strerror(-ret)); -+ errno = -ret; -+ SYSERROR("Invalid size: '%s'", opts->values[i]); -+ isulad_set_error_message("Invalid quota size: '%s'", opts->values[i]); - ret = -1; - goto out; - } -diff --git a/src/daemon/modules/image/oci/storage/layer_store/layer_store.c b/src/daemon/modules/image/oci/storage/layer_store/layer_store.c -index ddf3a62c..8d8384b8 100644 ---- a/src/daemon/modules/image/oci/storage/layer_store/layer_store.c -+++ b/src/daemon/modules/image/oci/storage/layer_store/layer_store.c -@@ -98,7 +98,8 @@ static inline bool layer_store_lock(bool writable) - nret = pthread_rwlock_rdlock(&g_metadata.rwlock); - } - if (nret != 0) { -- ERROR("Lock memory store failed: %s", strerror(nret)); -+ errno = nret; -+ SYSERROR("Lock memory store failed"); - return false; - } - -@@ -111,7 +112,8 @@ static inline void layer_store_unlock() - - nret = pthread_rwlock_unlock(&g_metadata.rwlock); - if (nret != 0) { -- FATAL("Unlock memory store failed: %s", strerror(nret)); -+ errno = nret; -+ SYSERROR("Unlock memory store failed"); - } - } - -diff --git a/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.c b/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.c -index 400678c4..1bac8dd5 100644 ---- a/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.c -+++ b/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.c -@@ -39,7 +39,8 @@ static inline bool remote_refresh_lock(pthread_rwlock_t *remote_lock, bool writa - nret = pthread_rwlock_rdlock(remote_lock); - } - if (nret != 0) { -- ERROR("Lock memory store failed: %s", strerror(nret)); -+ errno = nret; -+ SYSERROR("Lock memory store failed"); - return false; - } - -@@ -52,7 +53,8 @@ static inline void remote_refresh_unlock(pthread_rwlock_t *remote_lock) - - nret = pthread_rwlock_unlock(remote_lock); - if (nret != 0) { -- FATAL("Unlock memory store failed: %s", strerror(nret)); -+ errno = nret; -+ SYSERROR("Unlock memory store failed"); - } - } - -diff --git a/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.c b/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.c -index 1c5d2d84..ee1e15d0 100644 ---- a/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.c -+++ b/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.c -@@ -69,7 +69,8 @@ static inline bool rootfs_store_lock(enum lock_type type) - } - - if (nret != 0) { -- ERROR("Lock memory store failed: %s", strerror(nret)); -+ errno = nret; -+ SYSERROR("Lock memory store failed"); - return false; - } - -@@ -82,7 +83,8 @@ static inline void rootfs_store_unlock() - - nret = pthread_rwlock_unlock(&g_rootfs_store->rwlock); - if (nret != 0) { -- FATAL("Unlock memory store failed: %s", strerror(nret)); -+ errno = nret; -+ SYSERROR("Unlock memory store failed"); - } - } - -diff --git a/src/daemon/modules/image/oci/storage/storage.c b/src/daemon/modules/image/oci/storage/storage.c -index d5e79207..aa442ecf 100644 ---- a/src/daemon/modules/image/oci/storage/storage.c -+++ b/src/daemon/modules/image/oci/storage/storage.c -@@ -61,7 +61,8 @@ static inline bool storage_lock(pthread_rwlock_t *store_lock, bool writable) - nret = pthread_rwlock_rdlock(store_lock); - } - if (nret != 0) { -- ERROR("Lock memory store failed: %s", strerror(nret)); -+ errno = nret; -+ SYSERROR("Lock memory store failed"); - return false; - } - -@@ -74,7 +75,8 @@ static inline void storage_unlock(pthread_rwlock_t *store_lock) - - nret = pthread_rwlock_unlock(store_lock); - if (nret != 0) { -- FATAL("Unlock memory store failed: %s", strerror(nret)); -+ errno = nret; -+ SYSERROR("Unlock memory store failed"); - } - } - -diff --git a/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_errno.c b/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_errno.c -index efdcfbc7..977f9fbb 100644 ---- a/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_errno.c -+++ b/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_errno.c -@@ -30,14 +30,6 @@ const char * const g_INVOKE_ERR_MSGS[] = { - "Success" - }; - --const char *get_invoke_err_msg(int errcode) --{ -- if (errcode > (int)INK_ERR_MIN && errcode <= (int)INK_ERR_SUCCESS) { -- return g_INVOKE_ERR_MSGS[errcode - (int)INK_ERR_MIN]; -- } -- return strerror(errcode); --} -- - const char * const g_CNI_WELL_KNOWN_ERR_MSGS[] = { - /* 0 */ - "Success", -diff --git a/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_errno.h b/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_errno.h -index 9f63e5f5..236bc6ef 100644 ---- a/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_errno.h -+++ b/src/daemon/modules/network/cni_operator/libcni/invoke/libcni_errno.h -@@ -43,8 +43,6 @@ enum CNI_CUSTOM_ERROR { - CUSTOM_ERR_MAX, // max flag - }; - --const char *get_invoke_err_msg(int errcode); -- - enum CNI_WELL_KNOW_ERROR { - CNI_ERR_UNKNOW = 0, - CNI_ERR_INCOMPATIBLE_CNI_VERSION, -diff --git a/src/daemon/modules/network/cni_operator/libcni/libcni_cached.c b/src/daemon/modules/network/cni_operator/libcni/libcni_cached.c -index 63ee6e10..17de527e 100644 ---- a/src/daemon/modules/network/cni_operator/libcni/libcni_cached.c -+++ b/src/daemon/modules/network/cni_operator/libcni/libcni_cached.c -@@ -276,7 +276,8 @@ int cni_cache_delete(const char *cache_dir, const char *net_name, const struct r - } - - if (!util_force_remove_file(file_path, &get_err)) { -- ERROR("Failed to delete %s, error: %s", file_path, strerror(get_err)); -+ errno = get_err; -+ SYSERROR("Failed to delete %s.", file_path); - } - - free(file_path); -diff --git a/src/daemon/modules/network/native/adaptor_native.c b/src/daemon/modules/network/native/adaptor_native.c -index 8bc386d1..8d403442 100644 ---- a/src/daemon/modules/network/native/adaptor_native.c -+++ b/src/daemon/modules/network/native/adaptor_native.c -@@ -86,7 +86,8 @@ static inline bool native_store_lock(enum lock_type type) - nret = pthread_rwlock_wrlock(&g_store.rwlock); - } - if (nret != 0) { -- ERROR("Lock network list failed: %s", strerror(nret)); -+ errno = nret; -+ SYSERROR("Lock network list failed"); - return false; - } - -@@ -99,7 +100,8 @@ static inline void native_store_unlock() - - nret = pthread_rwlock_unlock(&g_store.rwlock); - if (nret != 0) { -- FATAL("Unlock network list failed: %s", strerror(nret)); -+ errno = nret; -+ SYSERROR("Unlock network list failed"); - } - } - -@@ -113,7 +115,8 @@ static inline void native_network_lock(enum lock_type type, native_network *netw - nret = pthread_rwlock_wrlock(&network->rwlock); - } - if (nret != 0) { -- ERROR("Lock network list failed: %s", strerror(nret)); -+ errno = nret; -+ SYSERROR("Lock network list failed"); - } - } - -@@ -123,7 +126,8 @@ static inline void native_network_unlock(native_network *network) - - nret = pthread_rwlock_unlock(&network->rwlock); - if (nret != 0) { -- FATAL("Unlock network list failed: %s", strerror(nret)); -+ errno = nret; -+ SYSERROR("Unlock network list failed"); - } - } - -@@ -1944,8 +1948,9 @@ int native_config_remove(const char *name, char **res_name) - WARN("Failed to get %s file path", network->conflist->list->name); - isulad_append_error_message("Failed to get %s file path. ", network->conflist->list->name); - } else if (!util_force_remove_file(path, &get_err)) { -- WARN("Failed to delete %s, error: %s", path, strerror(get_err)); -- isulad_append_error_message("Failed to delete %s, error: %s. ", path, strerror(get_err)); -+ errno = get_err; -+ SYSWARN("Failed to delete %s.", path); -+ isulad_append_error_message("Failed to delete %s.", path); - } - - if (!map_remove(g_store.name_to_network, (void *)network->conflist->list->name)) { -diff --git a/src/daemon/modules/plugin/plugin.c b/src/daemon/modules/plugin/plugin.c -index b4d78dc9..c42cfd21 100644 ---- a/src/daemon/modules/plugin/plugin.c -+++ b/src/daemon/modules/plugin/plugin.c -@@ -409,7 +409,8 @@ static void pm_rdlock(void) - - errcode = pthread_rwlock_rdlock(&g_plugin_manager->pm_rwlock); - if (errcode != 0) { -- ERROR("Read lock failed: %s", strerror(errcode)); -+ errno = errcode; -+ SYSERROR("Read lock failed"); - } - } - -@@ -419,7 +420,8 @@ static void pm_wrlock(void) - - errcode = pthread_rwlock_wrlock(&g_plugin_manager->pm_rwlock); - if (errcode != 0) { -- ERROR("Write lock failed: %s", strerror(errcode)); -+ errno = errcode; -+ SYSERROR("Write lock failed"); - } - } - -@@ -429,7 +431,8 @@ static void pm_unlock(void) - - errcode = pthread_rwlock_unlock(&g_plugin_manager->pm_rwlock); - if (errcode != 0) { -- ERROR("Unlock failed: %s", strerror(errcode)); -+ errno = errcode; -+ SYSERROR("Unlock failed"); - } - } - -@@ -659,7 +662,8 @@ static void *plugin_manager_routine(void *arg) - - errcode = pthread_detach(pthread_self()); - if (errcode != 0) { -- ERROR("Detach thread failed: %s", strerror(errcode)); -+ errno = errcode; -+ SYSERROR("Detach thread failed"); - return NULL; - } - if (pm_init() < 0) { -@@ -716,7 +720,8 @@ static void plugin_rdlock(plugin_t *plugin) - - errcode = pthread_rwlock_rdlock(&plugin->lock); - if (errcode != 0) { -- ERROR("Plugin read lock failed: %s", strerror(errcode)); -+ errno = errcode; -+ SYSERROR("Plugin read lock failed"); - } - } - -@@ -726,7 +731,8 @@ static void plugin_wrlock(plugin_t *plugin) - - errcode = pthread_rwlock_wrlock(&plugin->lock); - if (errcode != 0) { -- ERROR("Plugin write lock failed: %s", strerror(errcode)); -+ errno = errcode; -+ SYSERROR("Plugin write lock failed"); - } - } - -@@ -736,7 +742,8 @@ static void plugin_unlock(plugin_t *plugin) - - errcode = pthread_rwlock_unlock(&plugin->lock); - if (errcode != 0) { -- ERROR("Plugin unlock failed: %s", strerror(errcode)); -+ errno = errcode; -+ SYSERROR("Plugin unlock failed"); - } - } - -@@ -758,7 +765,8 @@ plugin_t *plugin_new(const char *name, const char *addr) - - errcode = pthread_rwlock_init(&plugin->lock, NULL); - if (errcode != 0) { -- ERROR("Plugin init lock failed: %s", strerror(errcode)); -+ errno = errcode; -+ SYSERROR("Plugin init lock failed"); - goto bad; - } - plugin->name = util_strdup_s(name); -diff --git a/src/daemon/modules/service/service_network.c b/src/daemon/modules/service/service_network.c -index 5502bcbd..6754cf1a 100644 ---- a/src/daemon/modules/service/service_network.c -+++ b/src/daemon/modules/service/service_network.c -@@ -962,7 +962,7 @@ static int do_update_internal_file(const char *id, const char *file_path, - ret = 0; - } else { - SYSERROR("Failed to write file %s", file_path); -- isulad_set_error_message("Failed to write file %s: %s", file_path, strerror(errno)); -+ isulad_set_error_message("Failed to write file %s", file_path); - ret = -1; - } - -@@ -1180,7 +1180,7 @@ static int do_drop_internal_file(const char *id, const char *file_path, const de - goto out; - } else { - SYSERROR("Failed to open %s", file_path); -- isulad_set_error_message("Failed to open %s: %s", file_path, strerror(errno)); -+ isulad_set_error_message("Failed to open %s", file_path); - ret = -1; - goto out; - } -@@ -1213,7 +1213,7 @@ static int do_drop_internal_file(const char *id, const char *file_path, const de - ret = util_write_file(file_path, str, strlen(str), NETWORK_MOUNT_FILE_MODE); - if (ret != 0) { - SYSERROR("Failed to write file %s", file_path); -- isulad_set_error_message("Failed to write file %s: %s", file_path, strerror(errno)); -+ isulad_set_error_message("Failed to write file %s", file_path); - goto out; - } - -diff --git a/src/daemon/sandbox/sandbox.cc b/src/daemon/sandbox/sandbox.cc -index d3fc7eea..1723e95e 100644 ---- a/src/daemon/sandbox/sandbox.cc -+++ b/src/daemon/sandbox/sandbox.cc -@@ -817,7 +817,8 @@ auto Sandbox::SaveState(Errors &error) -> bool - - nret = util_atomic_write_file(path.c_str(), stateJson.c_str(), stateJson.length(), CONFIG_FILE_MODE, false); - if (nret != 0) { -- error.Errorf("Failed to write file %s: %s", path.c_str(), strerror(errno)); -+ SYSERROR("Failed to write file %s"); -+ error.Errorf("Failed to write file %s", path.c_str()); - return false; - } - -@@ -834,7 +835,7 @@ auto Sandbox::SaveNetworkSetting(Errors &error) -> bool - false); - if (nret != 0) { - SYSERROR("Failed to write file %s", path.c_str()); -- error.Errorf("Failed to write file %s: %s", path.c_str(), strerror(errno)); -+ error.Errorf("Failed to write file %s", path.c_str()); - return false; - } - -@@ -877,7 +878,8 @@ auto Sandbox::SaveMetadata(Errors &error) -> bool - - nret = util_atomic_write_file(path.c_str(), metadataJson.c_str(), metadataJson.length(), CONFIG_FILE_MODE, false); - if (nret != 0) { -- error.Errorf("Failed to write file %s: %s", path.c_str(), strerror(errno)); -+ SYSERROR("Failed to write file %s", path.c_str()); -+ error.Errorf("Failed to write file %s", path.c_str()); - return false; - } - return true; -diff --git a/src/utils/cutils/network_namespace.c b/src/utils/cutils/network_namespace.c -index 0e225d9b..c9838104 100644 ---- a/src/utils/cutils/network_namespace.c -+++ b/src/utils/cutils/network_namespace.c -@@ -231,7 +231,8 @@ int remove_network_namespace_file(const char *netns_path) - } - - if (!util_force_remove_file(netns_path, &get_err)) { -- ERROR("Failed to remove file %s, error: %s", netns_path, strerror(get_err)); -+ errno = get_err; -+ SYSERROR("Failed to remove file %s", netns_path); - return -1; - } - -diff --git a/src/utils/cutils/utils_file.c b/src/utils/cutils/utils_file.c -index bc22ee95..1a148b0b 100644 ---- a/src/utils/cutils/utils_file.c -+++ b/src/utils/cutils/utils_file.c -@@ -1061,7 +1061,9 @@ char *look_path(const char *file, char **err) - if (en == 0) { - return util_strdup_s(file); - } -- if (asprintf(err, "find exec %s : %s", file, strerror(en)) < 0) { -+ errno = en; -+ SYSERROR("find exec %s failed", file); -+ if (asprintf(err, "find exec %s failed", file) < 0) { - *err = util_strdup_s("Out of memory"); - } - return NULL; --- -2.25.1 - diff --git a/0012-add-runc-attach-implement-unit-test-and-ci-test.patch b/0012-add-runc-attach-implement-unit-test-and-ci-test.patch new file mode 100644 index 0000000..401d89b --- /dev/null +++ b/0012-add-runc-attach-implement-unit-test-and-ci-test.patch @@ -0,0 +1,242 @@ +From d37c0c7ded0e107167a98dc1eda2000142d274f0 Mon Sep 17 00:00:00 2001 +From: zhongtao +Date: Tue, 7 Nov 2023 16:39:50 +0800 +Subject: [PATCH 12/14] add runc attach implement unit test and ci test + +Signed-off-by: zhongtao +--- + CI/test_cases/container_cases/attach.sh | 153 ++++++++++++++++++++ + CI/test_cases/container_cases/cri_stream.sh | 6 +- + test/cmd/isulad-shim/common/common_ut.cc | 42 ++++++ + 3 files changed, 197 insertions(+), 4 deletions(-) + create mode 100755 CI/test_cases/container_cases/attach.sh + +diff --git a/CI/test_cases/container_cases/attach.sh b/CI/test_cases/container_cases/attach.sh +new file mode 100755 +index 00000000..0d362757 +--- /dev/null ++++ b/CI/test_cases/container_cases/attach.sh +@@ -0,0 +1,153 @@ ++#!/bin/bash ++# ++# attributes: isula attach test ++# concurrent: NA ++# spend time: 5 ++ ++####################################################################### ++##- Copyright (c) Huawei Technologies Co., Ltd. 2023. All rights reserved. ++# - iSulad licensed under the Mulan PSL v2. ++# - You can use this software according to the terms and conditions of the Mulan PSL v2. ++# - You may obtain a copy of Mulan PSL v2 at: ++# - http://license.coscl.org.cn/MulanPSL2 ++# - THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR ++# - IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR ++# - PURPOSE. ++# - See the Mulan PSL v2 for more details. ++##- @Description:CI ++##- @Author: zhongtao ++##- @Create: 2023-11-06 ++####################################################################### ++ ++declare -r curr_path=$(dirname $(readlink -f "$0")) ++source ../helpers.sh ++ ++# $1 : retry limit ++# $2 : retry_interval ++# $3 : retry function ++function do_retry() ++{ ++ for i in $(seq 1 "$1"); do ++ $3 $4 $5 ++ if [ $? -ne 0 ]; then ++ return 0 ++ fi ++ sleep $2 ++ done ++ return 1 ++} ++ ++function get_ioCopy() ++{ ++ ps -T -p $(cat /var/run/isulad.pid) | grep IoCopy ++ return $? ++} ++ ++function inspect_container_status() ++{ ++ [[ $(isula inspect -f '{{.State.Status}}' ${1}) != "${2}" ]] ++ return $? ++} ++ ++function set_up() ++{ ++ local ret=0 ++ local runtime=$1 ++ ++ isula run -tid --name test --runtime $runtime busybox sh ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to run container with image: ${image}" && ((ret++)) ++ ++ msg_info "${test} finished with return ${ret}..." ++ return ${ret} ++} ++ ++function test_attach_fun() ++{ ++ local ret=0 ++ local retry_limit=20 ++ local retry_interval=1 ++ container_name="test" ++ local test="test_attach_fun => (${FUNCNAME[@]})" ++ ++ msg_info "${test} starting..." ++ ++ expect <<-END ++spawn isula attach test ++send \n ++expect "*" ++sleep 1 ++send "ls \r" ++expect "*" ++send "exit \r" ++expect "*" ++sleep 2 ++expect eof ++END ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to attach container test" && ((ret++)) ++ ++ count=$(isula logs test | grep ls | wc -l) ++ [[ $count -ne 1 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to do attach" && ((ret++)) ++ ++ do_retry ${retry_limit} ${retry_interval} inspect_container_status ${container_name} exited ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - incorrent container status: not Exited" && ((ret++)) ++ ++ (isula attach test > /tmp/test_attach1.log 2>&1) & ++ sleep 2 ++ cat /tmp/test_attach1.log | grep "You cannot attach to a stopped container, start it first" ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to do attach, except fail" && ((ret++)) ++ ++ rm -rf /tmp/test_attach1.log ++ ++ do_retry ${retry_limit} ${retry_interval} get_ioCopy ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - residual IO copy thread in CRI exec operation" && ((ret++)) ++ ++ msg_info "${test} finished with return ${ret}..." ++ return ${ret} ++} ++ ++function tear_down() ++{ ++ local ret=0 ++ ++ isula rm -f test ++ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to rm container: test" && ((ret++)) ++ ++ return ${ret} ++} ++ ++function do_test_t() ++{ ++ local ret=0 ++ local runtime=$1 ++ local test="basic attach test => (${runtime})" ++ msg_info "${test} starting..." ++ ++ set_up $runtime || ((ret++)) ++ ++ test_attach_fun || ((ret++)) ++ ++ tear_down || ((ret++)) ++ ++ msg_info "${test} finished with return ${ret}..." ++ ++ return $ret ++} ++ ++ret=0 ++ ++isula pull busybox ++[[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to pull image: ${image}" && return ${FAILURE} ++ ++isula images | grep busybox ++[[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - missing list image: ${image}" && ((ret++)) ++ ++for element in ${RUNTIME_LIST[@]}; ++do ++ do_test_t $element ++ if [ $? -ne 0 ];then ++ let "ret=$ret + 1" ++ fi ++done ++ ++show_result $ret "basic attach" ++ +diff --git a/CI/test_cases/container_cases/cri_stream.sh b/CI/test_cases/container_cases/cri_stream.sh +index 2360e240..43ed3891 100755 +--- a/CI/test_cases/container_cases/cri_stream.sh ++++ b/CI/test_cases/container_cases/cri_stream.sh +@@ -187,10 +187,8 @@ function do_test_t() + test_cri_exec_fun || ((ret++)) + test_cri_exec_abn || ((ret++)) + +- # runc attach not support +- if [ $runtime == "lcr" ]; then +- test_cri_attach || ((ret++)) +- fi ++ test_cri_attach || ((ret++)) ++ + tear_down || ((ret++)) + + msg_info "${test} finished with return ${ret}..." +diff --git a/test/cmd/isulad-shim/common/common_ut.cc b/test/cmd/isulad-shim/common/common_ut.cc +index 63395232..fb60f628 100644 +--- a/test/cmd/isulad-shim/common/common_ut.cc ++++ b/test/cmd/isulad-shim/common/common_ut.cc +@@ -87,3 +87,45 @@ TEST_F(CommonUnitTest, test_combined_output) + params[0] = non_cmd.c_str(); + EXPECT_EQ(cmd_combined_output(non_cmd.c_str(), params, output, &output_len), -1); + } ++ ++TEST_F(CommonUnitTest, test_get_attach_fifo_item) ++{ ++ struct isula_linked_list *attach_fifos = NULL; ++ attach_fifos = (struct isula_linked_list *)isula_common_calloc_s(sizeof(struct isula_linked_list)); ++ ASSERT_TRUE(attach_fifos != nullptr); ++ ++ isula_linked_list_init(attach_fifos); ++ ++ EXPECT_EQ(get_attach_fifo_item(4, attach_fifos), nullptr); ++ EXPECT_EQ(get_attach_fifo_item(-1, attach_fifos), nullptr); ++ EXPECT_EQ(get_attach_fifo_item(4, NULL), nullptr); ++ ++ struct shim_fifos_fd fifos1 = { ++ .in_fd = 1, ++ .out_fd = 2, ++ .err_fd = 3, ++ }; ++ struct shim_fifos_fd fifos2 = { ++ .in_fd = 4, ++ .out_fd = 5, ++ .err_fd = 6, ++ }; ++ struct isula_linked_list *node1 = NULL; ++ struct isula_linked_list *node2 = NULL; ++ node1 = (struct isula_linked_list *)isula_common_calloc_s(sizeof(struct isula_linked_list)); ++ ASSERT_TRUE(node1 != nullptr); ++ node1->elem = &fifos1; ++ isula_linked_list_add(attach_fifos, node1); ++ ++ node2 = (struct isula_linked_list *)isula_common_calloc_s(sizeof(struct isula_linked_list)); ++ ASSERT_TRUE(node2 != nullptr); ++ node2->elem = &fifos2; ++ isula_linked_list_add(attach_fifos, node2); ++ ++ EXPECT_EQ(get_attach_fifo_item(1, attach_fifos), node1); ++ EXPECT_EQ(get_attach_fifo_item(4, attach_fifos), node2); ++ ++ free(node1); ++ free(node2); ++ free(attach_fifos); ++} +-- +2.42.0 + diff --git a/0012-use-gmtime_r-to-replace-gmtime.patch b/0012-use-gmtime_r-to-replace-gmtime.patch deleted file mode 100644 index fc371a6..0000000 --- a/0012-use-gmtime_r-to-replace-gmtime.patch +++ /dev/null @@ -1,71 +0,0 @@ -From ec04faff6fba052b5bb4ed0b090ae441f888ce5c Mon Sep 17 00:00:00 2001 -From: haozi007 -Date: Wed, 6 Sep 2023 16:31:19 +0800 -Subject: [PATCH 12/32] use gmtime_r to replace gmtime - -Signed-off-by: haozi007 ---- - src/utils/cutils/utils_timestamp.c | 14 ++++++-------- - 1 file changed, 6 insertions(+), 8 deletions(-) - -diff --git a/src/utils/cutils/utils_timestamp.c b/src/utils/cutils/utils_timestamp.c -index fee66ea8..8ae9e42a 100644 ---- a/src/utils/cutils/utils_timestamp.c -+++ b/src/utils/cutils/utils_timestamp.c -@@ -652,9 +652,9 @@ int64_t util_time_seconds_since(const char *in) - int32_t nanos = 0; - int64_t result = 0; - struct tm tm = { 0 }; -- struct tm *currentm = NULL; - struct types_timezone tz = { 0 }; - time_t currentime; -+ struct tm result_time = { 0 }; - - if (in == NULL || !strcmp(in, defaultContainerTime) || !strcmp(in, "-")) { - return 0; -@@ -666,13 +666,12 @@ int64_t util_time_seconds_since(const char *in) - } - - time(¤time); -- currentm = gmtime(¤time); -- if (currentm == NULL) { -+ if (gmtime_r(¤time, &result_time) == NULL) { - ERROR("Get time error"); - return 0; - } - -- result = get_minmus_time(currentm, &tm); -+ result = get_minmus_time(&result_time, &tm); - result = result + (int64_t)tz.hour * 3600 + (int64_t)tz.min * 60; - - if (result > 0) { -@@ -871,9 +870,9 @@ int util_time_format_duration(const char *in, char *out, size_t len) - int32_t nanos = 0; - int64_t result = 0; - struct tm tm = { 0 }; -- struct tm *currentm = NULL; - struct types_timezone tz = { 0 }; - time_t currentime = { 0 }; -+ struct tm result_time = { 0 }; - - if (out == NULL) { - return -1; -@@ -888,13 +887,12 @@ int util_time_format_duration(const char *in, char *out, size_t len) - } - - time(¤time); -- currentm = gmtime(¤time); -- if (currentm == NULL) { -+ if (gmtime_r(¤time, &result_time) == NULL) { - ERROR("Get time error"); - return -1; - } - -- result = get_minmus_time(currentm, &tm); -+ result = get_minmus_time(&result_time, &tm); - result = result + (int64_t)tz.hour * 3600 + (int64_t)tz.min * 60; - - if (result < 0 || !time_human_duration(result, out, len)) { --- -2.25.1 - diff --git a/0013-improve-report-error-message-of-client.patch b/0013-improve-report-error-message-of-client.patch deleted file mode 100644 index e8846de..0000000 --- a/0013-improve-report-error-message-of-client.patch +++ /dev/null @@ -1,72 +0,0 @@ -From a446152d676cf5616784e3f8f80dea8fd2ac221a Mon Sep 17 00:00:00 2001 -From: haozi007 -Date: Thu, 7 Sep 2023 14:34:01 +0800 -Subject: [PATCH 13/32] improve report error message of client - -Signed-off-by: haozi007 ---- - src/daemon/executor/container_cb/execution_stream.c | 4 ++-- - src/daemon/modules/service/service_container.c | 2 +- - src/utils/tar/isulad_tar.c | 4 ++-- - 3 files changed, 5 insertions(+), 5 deletions(-) - -diff --git a/src/daemon/executor/container_cb/execution_stream.c b/src/daemon/executor/container_cb/execution_stream.c -index aae9c234..7db96b19 100644 ---- a/src/daemon/executor/container_cb/execution_stream.c -+++ b/src/daemon/executor/container_cb/execution_stream.c -@@ -536,7 +536,7 @@ static container_path_stat *do_container_stat_path(const char *rootpath, const c - nret = lstat(resolvedpath, &st); - if (nret < 0) { - SYSERROR("lstat %s failed.", resolvedpath); -- isulad_set_error_message("lstat %s failed.", resolvedpath); -+ isulad_set_error_message("Check %s failed, get more information from log.", resolvedpath); - goto cleanup; - } - -@@ -922,7 +922,7 @@ static int copy_to_container_check_path_valid(const container_t *cont, const cha - nret = lstat(resolvedpath, &st); - if (nret < 0) { - SYSERROR("lstat %s failed", resolvedpath); -- isulad_set_error_message("lstat %s failed", resolvedpath); -+ isulad_set_error_message("Check %s failed, get more information from log.", resolvedpath); - goto cleanup; - } - -diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c -index 370ba059..83d82201 100644 ---- a/src/daemon/modules/service/service_container.c -+++ b/src/daemon/modules/service/service_container.c -@@ -596,7 +596,7 @@ static int valid_mount_point(container_config_v2_common_config_mount_points_elem - - if (lstat(mp->source, &st) != 0) { - SYSERROR("lstat %s failed", mp->source); -- isulad_set_error_message("lstat %s failed", mp->source); -+ isulad_set_error_message("Check %s failed, get more information from log.", mp->source); - return -1; - } - -diff --git a/src/utils/tar/isulad_tar.c b/src/utils/tar/isulad_tar.c -index bffbb43b..2e61d823 100644 ---- a/src/utils/tar/isulad_tar.c -+++ b/src/utils/tar/isulad_tar.c -@@ -192,7 +192,7 @@ struct archive_copy_info *copy_info_source_path(const char *path, bool follow_li - nret = lstat(resolved_path, &st); - if (nret < 0) { - SYSERROR("lstat %s failed", resolved_path); -- format_errorf(err, "lstat %s failed", resolved_path); -+ format_errorf(err, "Check %s failed, get more information from log.", resolved_path); - goto cleanup; - } - -@@ -429,7 +429,7 @@ static int tar_resource_rebase(const char *path, const char *rebase, const char - - if (lstat(path, &st) < 0) { - SYSERROR("lstat %s failed", path); -- format_errorf(err, "lstat %s failed", path); -+ format_errorf(err, "Check %s failed, get more information from log.", path); - return -1; - } - if (util_split_path_dir_entry(path, &srcdir, &srcbase) < 0) { --- -2.25.1 - diff --git a/0013-support-gcov-of-CI.patch b/0013-support-gcov-of-CI.patch new file mode 100644 index 0000000..14c4148 --- /dev/null +++ b/0013-support-gcov-of-CI.patch @@ -0,0 +1,26 @@ +From f4ea9145cea40cb97a86cd5eb91e1726cf48dd0d Mon Sep 17 00:00:00 2001 +From: haozi007 +Date: Tue, 14 Nov 2023 09:17:05 +0800 +Subject: [PATCH 13/14] support gcov of CI + +Signed-off-by: haozi007 +--- + CI/dockerfiles/Dockerfile-fedora | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/CI/dockerfiles/Dockerfile-fedora b/CI/dockerfiles/Dockerfile-fedora +index c30a3d0b..bef44377 100644 +--- a/CI/dockerfiles/Dockerfile-fedora ++++ b/CI/dockerfiles/Dockerfile-fedora +@@ -115,6 +115,8 @@ RUN echo "[source.crates-io]" >> ${HOME}/.cargo/config && \ + echo "[source.local-registry]" >> ${HOME}/.cargo/config && \ + echo "directory = \"vendor\"" >> ${HOME}/.cargo/config + ++RUN dnf install -y lcov && dnf clean all ++ + # install libevhtp + RUN export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH && \ + set -x && \ +-- +2.42.0 + diff --git a/0014-adapt-new-error-message-for-isula-cp.patch b/0014-adapt-new-error-message-for-isula-cp.patch deleted file mode 100644 index 4fbf3a5..0000000 --- a/0014-adapt-new-error-message-for-isula-cp.patch +++ /dev/null @@ -1,43 +0,0 @@ -From aba6d26fe34b3bea5964bca25f081a240312f08b Mon Sep 17 00:00:00 2001 -From: haozi007 -Date: Thu, 7 Sep 2023 14:41:48 +0800 -Subject: [PATCH 14/32] adapt new error message for isula cp - -Signed-off-by: haozi007 ---- - CI/test_cases/container_cases/cp.sh | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/CI/test_cases/container_cases/cp.sh b/CI/test_cases/container_cases/cp.sh -index 7bec9170..e60ccbc2 100755 ---- a/CI/test_cases/container_cases/cp.sh -+++ b/CI/test_cases/container_cases/cp.sh -@@ -57,10 +57,10 @@ test_cp_file_from_container() - fi - rm -rf $dstfile - -- isula cp $containername:/etc/../etc/passwd/ $cpfiles 2>&1 | grep "Not a directory" -+ isula cp $containername:/etc/../etc/passwd/ $cpfiles 2>&1 | grep "get more information from log" - [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to do copy" && ((ret++)) - -- isula cp $containername:/etc/nonexists $cpfiles 2>&1 | grep "No such file or directory" -+ isula cp $containername:/etc/nonexists $cpfiles 2>&1 | grep "get more information from log" - [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to do copy" && ((ret++)) - - dstfile=$cpfiles/etc -@@ -146,10 +146,10 @@ test_cp_file_to_container() - isula cp /etc/passwd $containername:$cpfiles/nonexists/ 2>&1 | grep "no such directory" - [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to do copy" && ((ret++)) - -- isula cp /etc/passwd $containername:$cpfiles/nonexists/nonexists 2>&1 | grep "No such file or directory" -+ isula cp /etc/passwd $containername:$cpfiles/nonexists/nonexists 2>&1 | grep "get more information from log" - [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to do copy" && ((ret++)) - -- isula cp /etc/nonexists $containername:$cpfiles 2>&1 | grep "No such file or directory" -+ isula cp /etc/nonexists $containername:$cpfiles 2>&1 | grep "get more information from log" - [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - failed to do copy" && ((ret++)) - rm -rf $dstfile - --- -2.25.1 - diff --git a/0014-compatibility-for-manage-pods-which-created-by-old-i.patch b/0014-compatibility-for-manage-pods-which-created-by-old-i.patch new file mode 100644 index 0000000..ff36bcc --- /dev/null +++ b/0014-compatibility-for-manage-pods-which-created-by-old-i.patch @@ -0,0 +1,163 @@ +From 2bf2acb51aec12e734c970b02cd7802f088a2222 Mon Sep 17 00:00:00 2001 +From: haozi007 +Date: Tue, 14 Nov 2023 10:29:34 +0800 +Subject: [PATCH 14/14] compatibility for manage pods which created by old + iSulad + +Signed-off-by: haozi007 +--- + .../cri_pod_sandbox_manager_service.cc | 12 +++- + src/daemon/entry/cri/v1alpha/naming.cc | 72 ++++++++++++++++--- + src/daemon/entry/cri/v1alpha/naming.h | 2 +- + 3 files changed, 72 insertions(+), 14 deletions(-) + +diff --git a/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.cc b/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.cc +index 6e8f40b9..8533bb8c 100644 +--- a/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.cc ++++ b/src/daemon/entry/cri/v1alpha/cri_pod_sandbox_manager_service.cc +@@ -1153,7 +1153,11 @@ void PodSandboxManagerService::PodSandboxStatusToGRPC(const container_inspect *i + + CRIHelpers::ExtractLabels(inspect->config->labels, *podStatus->mutable_labels()); + CRIHelpers::ExtractAnnotations(inspect->config->annotations, *podStatus->mutable_annotations()); +- CRINaming::ParseSandboxName(podStatus->annotations(), *podStatus->mutable_metadata(), error); ++ std::string name; ++ if (inspect->name != nullptr) { ++ name = std::string(inspect->name); ++ } ++ CRINaming::ParseSandboxName(name, podStatus->annotations(), *podStatus->mutable_metadata(), error); + if (error.NotEmpty()) { + return; + } +@@ -1266,7 +1270,11 @@ void PodSandboxManagerService::ListPodSandboxToGRPC(container_list_response *res + + CRIHelpers::ExtractAnnotations(response->containers[i]->annotations, *pod->mutable_annotations()); + +- CRINaming::ParseSandboxName(pod->annotations(), *pod->mutable_metadata(), error); ++ std::string name; ++ if (response->containers[i]->name != nullptr) { ++ name = std::string(response->containers[i]->name); ++ } ++ CRINaming::ParseSandboxName(name, pod->annotations(), *pod->mutable_metadata(), error); + + if (filterOutReadySandboxes && pod->state() == runtime::v1alpha2::SANDBOX_READY) { + continue; +diff --git a/src/daemon/entry/cri/v1alpha/naming.cc b/src/daemon/entry/cri/v1alpha/naming.cc +index abb6e57d..de47a97d 100644 +--- a/src/daemon/entry/cri/v1alpha/naming.cc ++++ b/src/daemon/entry/cri/v1alpha/naming.cc +@@ -26,6 +26,38 @@ + #include "utils.h" + + namespace CRINaming { ++// default sandbox name create by MakeSandboxName(); ++// format is 'k8s_containername_metadataname_namespace_uid_attempt' ++static int parseName(const std::string &name, std::vector &items, unsigned int &attempt, Errors &err) ++{ ++ std::istringstream f(name); ++ std::string part; ++ ++ while (getline(f, part, CRI::Constants::nameDelimiterChar)) { ++ items.push_back(part); ++ } ++ ++ // format: k8s_containername_metadataname_namespace_uid_attempt ++ // so split name by '_', length of result array must be 6 ++ if (items.size() != 6) { ++ err.Errorf("failed to parse the sandbox name: %s", name.c_str()); ++ return -1; ++ } ++ ++ if (items[0] != CRI::Constants::kubePrefix) { ++ err.Errorf("container is not managed by kubernetes: %s", name.c_str()); ++ return -1; ++ } ++ ++ // last item index is 5, and must be attempt ++ if (util_safe_uint(items[5].c_str(), &attempt)) { ++ err.Errorf("failed to parse the sandbox name %s: %s", name.c_str(), strerror(errno)); ++ return -1; ++ } ++ ++ return 0; ++} ++ + std::string MakeSandboxName(const runtime::v1alpha2::PodSandboxMetadata &metadata) + { + std::string sname; +@@ -44,9 +76,12 @@ std::string MakeSandboxName(const runtime::v1alpha2::PodSandboxMetadata &metadat + return sname; + } + +-void ParseSandboxName(const google::protobuf::Map &annotations, ++void ParseSandboxName(const std::string &name, const google::protobuf::Map &annotations, + runtime::v1alpha2::PodSandboxMetadata &metadata, Errors &err) + { ++ // need check uid and attemp 2 items ++ int needSetUidAndAttemp = 2; ++ + if (annotations.count(CRIHelpers::Constants::SANDBOX_NAME_ANNOTATION_KEY) == 0) { + err.Errorf("annotation don't contains the sandbox name, failed to parse it"); + return; +@@ -57,21 +92,36 @@ void ParseSandboxName(const google::protobuf::Map &ann + return; + } + +- if (annotations.count(CRIHelpers::Constants::SANDBOX_UID_ANNOTATION_KEY) == 0) { +- err.Errorf("annotation don't contains the sandbox uid, failed to parse it"); +- return; ++ metadata.set_name(annotations.at(CRIHelpers::Constants::SANDBOX_NAME_ANNOTATION_KEY)); ++ metadata.set_namespace_(annotations.at(CRIHelpers::Constants::SANDBOX_NAMESPACE_ANNOTATION_KEY)); ++ ++ if (annotations.count(CRIHelpers::Constants::SANDBOX_UID_ANNOTATION_KEY) != 0) { ++ metadata.set_uid(annotations.at(CRIHelpers::Constants::SANDBOX_UID_ANNOTATION_KEY)); ++ needSetUidAndAttemp--; ++ } ++ ++ if (annotations.count(CRIHelpers::Constants::SANDBOX_ATTEMPT_ANNOTATION_KEY) != 0) { ++ auto sandboxAttempt = annotations.at(CRIHelpers::Constants::SANDBOX_ATTEMPT_ANNOTATION_KEY); ++ metadata.set_attempt(static_cast(std::stoul(sandboxAttempt))); ++ needSetUidAndAttemp--; + } + +- if (annotations.count(CRIHelpers::Constants::SANDBOX_ATTEMPT_ANNOTATION_KEY) == 0) { +- err.Errorf("annotation don't contains the sandbox attempt, failed to parse it"); ++ if (needSetUidAndAttemp == 0) { + return; + } + +- metadata.set_name(annotations.at(CRIHelpers::Constants::SANDBOX_NAME_ANNOTATION_KEY)); +- metadata.set_namespace_(annotations.at(CRIHelpers::Constants::SANDBOX_NAMESPACE_ANNOTATION_KEY)); +- metadata.set_uid(annotations.at(CRIHelpers::Constants::SANDBOX_UID_ANNOTATION_KEY)); +- auto sandboxAttempt = annotations.at(CRIHelpers::Constants::SANDBOX_ATTEMPT_ANNOTATION_KEY); +- metadata.set_attempt(static_cast(std::stoul(sandboxAttempt))); ++ // get uid and attempt from name, ++ // compatibility to new iSulad manage pods created by old version iSulad ++ // maybe should remove in next version of iSulad ++ std::vector items; ++ unsigned int attempt; ++ ++ if (parseName(name, items, attempt, err) != 0) { ++ return; ++ } ++ // index 4 in split array, must be uid ++ metadata.set_uid(items[4]); ++ metadata.set_attempt(static_cast(attempt)); + } + + std::string MakeContainerName(const runtime::v1alpha2::PodSandboxConfig &s, const runtime::v1alpha2::ContainerConfig &c) +diff --git a/src/daemon/entry/cri/v1alpha/naming.h b/src/daemon/entry/cri/v1alpha/naming.h +index 7eab41d3..f2d51a98 100644 +--- a/src/daemon/entry/cri/v1alpha/naming.h ++++ b/src/daemon/entry/cri/v1alpha/naming.h +@@ -26,7 +26,7 @@ std::string MakeSandboxName(const runtime::v1alpha2::PodSandboxMetadata &metadat + std::string MakeContainerName(const runtime::v1alpha2::PodSandboxConfig &s, + const runtime::v1alpha2::ContainerConfig &c); + +-void ParseSandboxName(const google::protobuf::Map &annotations, ++void ParseSandboxName(const std::string &name, const google::protobuf::Map &annotations, + runtime::v1alpha2::PodSandboxMetadata &metadata, Errors &err); + + void ParseContainerName(const google::protobuf::Map &annotations, +-- +2.42.0 + diff --git a/0015-2182-Add-mutex-for-container-list-in-sandbox.patch b/0015-2182-Add-mutex-for-container-list-in-sandbox.patch deleted file mode 100644 index 75edc04..0000000 --- a/0015-2182-Add-mutex-for-container-list-in-sandbox.patch +++ /dev/null @@ -1,58 +0,0 @@ -From dcceff17d6c2e1c97cb18c65260edfd2d6a3a60a Mon Sep 17 00:00:00 2001 -From: xuxuepeng -Date: Tue, 12 Sep 2023 03:20:33 +0000 -Subject: [PATCH 15/32] !2182 Add mutex for container list in sandbox * Add - mutex for container list in sandbox - ---- - src/daemon/sandbox/sandbox.cc | 4 ++++ - src/daemon/sandbox/sandbox.h | 1 + - 2 files changed, 5 insertions(+) - -diff --git a/src/daemon/sandbox/sandbox.cc b/src/daemon/sandbox/sandbox.cc -index 1723e95e..f391e809 100644 ---- a/src/daemon/sandbox/sandbox.cc -+++ b/src/daemon/sandbox/sandbox.cc -@@ -131,6 +131,7 @@ auto Sandbox::GetRuntimeHandle() const -> const std::string & - - auto Sandbox::GetContainers() -> std::vector - { -+ ReadGuard lock(m_containersMutex); - return m_containers; - } - -@@ -394,16 +395,19 @@ void Sandbox::RemoveLabels(const std::string &key) - - void Sandbox::AddContainer(const std::string &id) - { -+ WriteGuard lock(m_containersMutex); - m_containers.push_back(id); - } - - void Sandbox::SetConatiners(const std::vector &cons) - { -+ WriteGuard lock(m_containersMutex); - m_containers = cons; - } - - void Sandbox::RemoveContainer(const std::string &id) - { -+ WriteGuard lock(m_containersMutex); - auto it = std::find(m_containers.begin(), m_containers.end(), id); - if (it != m_containers.end()) { - m_containers.erase(it); -diff --git a/src/daemon/sandbox/sandbox.h b/src/daemon/sandbox/sandbox.h -index 0f135e70..89350131 100644 ---- a/src/daemon/sandbox/sandbox.h -+++ b/src/daemon/sandbox/sandbox.h -@@ -200,6 +200,7 @@ private: - std::string m_networkSettings; - // container id lists - std::vector m_containers; -+ RWMutex m_containersMutex; - // TOOD: m_sandboxConfig is a protobuf message, it can be converted to json string directly - // if save json string directly for sandbox recover, we need to consider hot - // upgrade between different CRI versions --- -2.25.1 - diff --git a/0015-2250-Remove-PERFMON-BPF-CHECKPOINT_RESTORE.patch b/0015-2250-Remove-PERFMON-BPF-CHECKPOINT_RESTORE.patch new file mode 100644 index 0000000..20223a6 --- /dev/null +++ b/0015-2250-Remove-PERFMON-BPF-CHECKPOINT_RESTORE.patch @@ -0,0 +1,33 @@ +From ba0460408ab6118e1ecf3dda242af1d4b0980777 Mon Sep 17 00:00:00 2001 +From: xuxuepeng +Date: Tue, 14 Nov 2023 14:00:31 +0000 +Subject: [PATCH 15/16] !2250 Remove PERFMON, BPF, CHECKPOINT_RESTORE Merge + pull request !2250 from xuxuepeng/master + +--- + src/utils/cutils/utils_cap.c | 9 --------- + 1 file changed, 9 deletions(-) + +diff --git a/src/utils/cutils/utils_cap.c b/src/utils/cutils/utils_cap.c +index 6473df45..8c9cfafa 100644 +--- a/src/utils/cutils/utils_cap.c ++++ b/src/utils/cutils/utils_cap.c +@@ -74,15 +74,6 @@ const char *g_all_caps[] = { + #ifdef CAP_AUDIT_READ + "CAP_AUDIT_READ", + #endif +-#ifdef CAP_PERFMON +- "CAP_PERFMON", +-#endif +-#ifdef CAP_BPF +- "CAP_BPF", +-#endif +-#ifdef CAP_CHECKPOINT_RESTORE +- "CAP_CHECKPOINT_RESTORE", +-#endif + }; + + static inline size_t util_get_all_caps_len() +-- +2.42.0 + diff --git a/0016-2180-fix-execlp-not-enough-args.patch b/0016-2180-fix-execlp-not-enough-args.patch deleted file mode 100644 index 4b93598..0000000 --- a/0016-2180-fix-execlp-not-enough-args.patch +++ /dev/null @@ -1,54 +0,0 @@ -From e9c0fb3c72bd102f24afe247bb545df210fa9aee Mon Sep 17 00:00:00 2001 -From: zhangxiaoyu -Date: Tue, 12 Sep 2023 03:55:17 +0000 -Subject: [PATCH 16/32] !2180 fix execlp not enough args * fix execlp not - enough args - ---- - cmake/set_build_flags.cmake | 2 +- - test/fuzz/CMakeLists.txt | 2 +- - test/image/oci/oci_ut_common.cc | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/cmake/set_build_flags.cmake b/cmake/set_build_flags.cmake -index ba250cdc..09c85c65 100644 ---- a/cmake/set_build_flags.cmake -+++ b/cmake/set_build_flags.cmake -@@ -3,7 +3,7 @@ set(CMAKE_C_FLAGS "-fPIC -fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -Wall -fP - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D__FILENAME__='\"$(subst ${CMAKE_SOURCE_DIR}/,,$(abspath $<))\"'") - - if (GRPC_CONNECTOR) -- set(CMAKE_CXX_FLAGS "-fPIC -std=c++11 -fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -Wall -Wno-error=deprecated-declarations") -+ set(CMAKE_CXX_FLAGS "-fPIC -std=c++17 -fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -Wall -Wno-error=deprecated-declarations") - set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -D__FILENAME__='\"$(subst ${CMAKE_SOURCE_DIR}/,,$(abspath $<))\"'") - endif() - set(CMAKE_SHARED_LINKER_FLAGS "-Wl,-E -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wtrampolines -shared -pthread") -diff --git a/test/fuzz/CMakeLists.txt b/test/fuzz/CMakeLists.txt -index 478a4012..617a168f 100644 ---- a/test/fuzz/CMakeLists.txt -+++ b/test/fuzz/CMakeLists.txt -@@ -34,7 +34,7 @@ MESSAGE(STATUS "GCLANG_PP_BINARY is set to ${GCLANG_PP_BINARY}") - SET(CMAKE_C_COMPILER "${GCLANG_BINARY}") - SET(CMAKE_CXX_COMPILER "${GCLANG_PP_BINARY}") - SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -g -O0 --coverage -fsanitize=fuzzer,address -fsanitize-coverage=indirect-calls,trace-cmp,trace-div,trace-gep") --SET(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -g -O0 --coverage -std=c++11 -fsanitize=fuzzer,address -fsanitize-coverage=indirect-calls,trace-cmp,trace-div,trace-gep") -+SET(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -g -O0 --coverage -std=c++17 -fsanitize=fuzzer,address -fsanitize-coverage=indirect-calls,trace-cmp,trace-div,trace-gep") - SET(CMAKE_RUNTIME_OUTPUT_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}) - - SET(EXE0 test_volume_mount_spec_fuzz) -diff --git a/test/image/oci/oci_ut_common.cc b/test/image/oci/oci_ut_common.cc -index 1158ae85..9fa25d1c 100644 ---- a/test/image/oci/oci_ut_common.cc -+++ b/test/image/oci/oci_ut_common.cc -@@ -22,7 +22,7 @@ - - int execvp_success(const char *file, char * const argv[]) - { -- execlp("echo", "echo"); -+ execlp("echo", "echo", NULL); - return -1; - } - --- -2.25.1 - diff --git a/0016-open-ENABLE_GRPC_REMOTE_CONNECT-in-CI.patch b/0016-open-ENABLE_GRPC_REMOTE_CONNECT-in-CI.patch new file mode 100644 index 0000000..01a2d1b --- /dev/null +++ b/0016-open-ENABLE_GRPC_REMOTE_CONNECT-in-CI.patch @@ -0,0 +1,57 @@ +From d903cd356a9fb47ddbc7d23e2f4fe2f72b6242ef Mon Sep 17 00:00:00 2001 +From: zhongtao +Date: Wed, 15 Nov 2023 10:25:40 +0800 +Subject: [PATCH 16/16] open ENABLE_GRPC_REMOTE_CONNECT in CI + +Signed-off-by: zhongtao +--- + CI/make-and-install.sh | 4 ++-- + CI/only_build_isulad.sh | 2 +- + CI/pr-gateway.sh | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/CI/make-and-install.sh b/CI/make-and-install.sh +index cdd0e432..c1d26ff1 100755 +--- a/CI/make-and-install.sh ++++ b/CI/make-and-install.sh +@@ -103,9 +103,9 @@ rm -rf build + mkdir build + cd build + if [[ ${enable_gcov} -ne 0 ]]; then +- cmake -DLIB_INSTALL_DIR=${builddir}/lib -DCMAKE_INSTALL_PREFIX=${builddir} -DCMAKE_INSTALL_SYSCONFDIR=${builddir}/etc -DCMAKE_BUILD_TYPE=Debug -DGCOV=ON -DENABLE_EMBEDDED=ON -DENABLE_COVERAGE=ON -DENABLE_CRI_API_V1=ON -DENABLE_UT=ON -DENABLE_METRICS=ON -DENABLE_REMOTE_LAYER_STORE=ON .. ++ cmake -DLIB_INSTALL_DIR=${builddir}/lib -DCMAKE_INSTALL_PREFIX=${builddir} -DCMAKE_INSTALL_SYSCONFDIR=${builddir}/etc -DCMAKE_BUILD_TYPE=Debug -DGCOV=ON -DENABLE_EMBEDDED=ON -DENABLE_COVERAGE=ON -DENABLE_CRI_API_V1=ON -DENABLE_UT=ON -DENABLE_METRICS=ON -DENABLE_REMOTE_LAYER_STORE=ON -DENABLE_GRPC_REMOTE_CONNECT=ON .. + else +- cmake -DLIB_INSTALL_DIR=${builddir}/lib -DCMAKE_INSTALL_PREFIX=${builddir} -DCMAKE_INSTALL_SYSCONFDIR=${builddir}/etc -DENABLE_EMBEDDED=ON -DENABLE_METRICS=ON -DENABLE_REMOTE_LAYER_STORE=ON -DENABLE_CRI_API_V1=ON .. ++ cmake -DLIB_INSTALL_DIR=${builddir}/lib -DCMAKE_INSTALL_PREFIX=${builddir} -DCMAKE_INSTALL_SYSCONFDIR=${builddir}/etc -DENABLE_EMBEDDED=ON -DENABLE_METRICS=ON -DENABLE_REMOTE_LAYER_STORE=ON -DENABLE_CRI_API_V1=ON -DENABLE_GRPC_REMOTE_CONNECT=ON .. + fi + make -j $(nproc) + make install +diff --git a/CI/only_build_isulad.sh b/CI/only_build_isulad.sh +index d2d3417d..c3dc39d6 100755 +--- a/CI/only_build_isulad.sh ++++ b/CI/only_build_isulad.sh +@@ -67,7 +67,7 @@ popd + git clone https://gitee.com/openeuler/iSulad.git + pushd iSulad + mkdir build && pushd build +-cmake -DENABLE_UT=ON ../ ++cmake -DENABLE_UT=ON -DENABLE_GRPC_REMOTE_CONNECT=ON ../ + make -j2 && make install + ctest -V + popd +diff --git a/CI/pr-gateway.sh b/CI/pr-gateway.sh +index 291fc4ae..08bcfc4f 100755 +--- a/CI/pr-gateway.sh ++++ b/CI/pr-gateway.sh +@@ -99,7 +99,7 @@ pushd iSulad + rm -rf build + mkdir build + pushd build +-cmake -DDEBUG=ON -DCMAKE_INSTALL_PREFIX=/usr -DENABLE_UT=ON -DENABLE_CRI_API_V1=ON -DENABLE_REMOTE_LAYER_STORE=ON -DENABLE_SHIM_V2=OFF ../ || exit 1 ++cmake -DDEBUG=ON -DCMAKE_INSTALL_PREFIX=/usr -DENABLE_UT=ON -DENABLE_CRI_API_V1=ON -DENABLE_REMOTE_LAYER_STORE=ON -DENABLE_SHIM_V2=OFF -DENABLE_GRPC_REMOTE_CONNECT=ON ../ || exit 1 + make -j $(nproc) || exit 1 + ctest -V + popd +-- +2.42.0 + diff --git a/0017-2135-modify-incorrect-variable-type.patch b/0017-2135-modify-incorrect-variable-type.patch deleted file mode 100644 index 49c1ce6..0000000 --- a/0017-2135-modify-incorrect-variable-type.patch +++ /dev/null @@ -1,200 +0,0 @@ -From e7f21e04b8710ec60045ba26ebdda5ce8a0c0f09 Mon Sep 17 00:00:00 2001 -From: zhongtao -Date: Mon, 28 Aug 2023 06:46:10 +0000 -Subject: [PATCH 17/32] !2135 modify incorrect variable type * modify incorrect - variable type - ---- - src/client/connect/protocol_type.h | 2 +- - src/daemon/modules/image/oci/oci_load.c | 4 ++-- - src/daemon/modules/image/oci/registry/registry.c | 12 +++++++----- - .../oci/storage/layer_store/graphdriver/driver.c | 2 +- - .../image/oci/storage/layer_store/layer_store.c | 15 +++++++++------ - src/daemon/modules/image/oci/storage/storage.c | 2 +- - src/daemon/modules/image/oci/utils_images.c | 4 ++-- - src/daemon/modules/service/service_container.c | 2 +- - 8 files changed, 24 insertions(+), 19 deletions(-) - -diff --git a/src/client/connect/protocol_type.h b/src/client/connect/protocol_type.h -index 62d27c91..4206c50b 100644 ---- a/src/client/connect/protocol_type.h -+++ b/src/client/connect/protocol_type.h -@@ -244,7 +244,7 @@ typedef struct container_events_format { - char *opt; - char *id; - char **annotations; -- char annotations_len; -+ size_t annotations_len; - } container_events_format_t; - - typedef void (*container_events_callback_t)(const container_events_format_t *event); -diff --git a/src/daemon/modules/image/oci/oci_load.c b/src/daemon/modules/image/oci/oci_load.c -index 5511a70c..5e062d44 100644 ---- a/src/daemon/modules/image/oci/oci_load.c -+++ b/src/daemon/modules/image/oci/oci_load.c -@@ -164,7 +164,7 @@ static void oci_load_free_layer(load_layer_blob_t *l) - - static void oci_load_free_image(load_image_t *im) - { -- int i = 0; -+ size_t i = 0; - - if (im == NULL) { - return; -@@ -406,7 +406,7 @@ out: - - static int check_time_valid(oci_image_spec *conf) - { -- int i = 0; -+ size_t i = 0; - - if (!oci_valid_time(conf->created)) { - ERROR("Invalid created time %s", conf->created); -diff --git a/src/daemon/modules/image/oci/registry/registry.c b/src/daemon/modules/image/oci/registry/registry.c -index 5c660bc9..e0b46e2e 100644 ---- a/src/daemon/modules/image/oci/registry/registry.c -+++ b/src/daemon/modules/image/oci/registry/registry.c -@@ -655,18 +655,20 @@ static int register_layer(pull_descriptor *desc, size_t i) - - static int get_top_layer_index(pull_descriptor *desc, size_t *top_layer_index) - { -- int i = 0; -+ size_t i; - - if (desc == NULL || top_layer_index == NULL) { - ERROR("Invalid NULL pointer"); - return -1; - } -- -- for (i = desc->layers_len - 1; i >= 0; i--) { -- if (desc->layers[i].empty_layer) { -+ // iterate over the layers array in reverse order, starting from the last layer -+ // since i is an unsigned number, i traverses from layers_len to 1 -+ for (i = desc->layers_len; i > 0; i--) { -+ // the corresponding array index is [i - 1]: layers_len - 1 -> 0 -+ if (desc->layers[i - 1].empty_layer) { - continue; - } -- *top_layer_index = i; -+ *top_layer_index = i - 1; - return 0; - } - -diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.c -index b1790af1..fc2857b6 100644 ---- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.c -+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.c -@@ -345,7 +345,7 @@ int graphdriver_apply_diff(const char *id, const struct io_read_wrapper *content - container_inspect_graph_driver *graphdriver_get_metadata(const char *id) - { - int ret = -1; -- int i = 0; -+ size_t i = 0; - container_inspect_graph_driver *inspect_driver = NULL; - json_map_string_string *metadata = NULL; - -diff --git a/src/daemon/modules/image/oci/storage/layer_store/layer_store.c b/src/daemon/modules/image/oci/storage/layer_store/layer_store.c -index 8d8384b8..6ea3c48b 100644 ---- a/src/daemon/modules/image/oci/storage/layer_store/layer_store.c -+++ b/src/daemon/modules/image/oci/storage/layer_store/layer_store.c -@@ -747,7 +747,7 @@ out: - static int insert_memory_stores(const char *id, const struct layer_opts *opts, layer_t *l) - { - int ret = 0; -- int i = 0; -+ size_t i = 0; - - if (!append_layer_into_list(l)) { - ret = -1; -@@ -788,9 +788,12 @@ clear_compress_digest: - (void)delete_digest_from_map(g_metadata.by_compress_digest, l->slayer->compressed_diff_digest, id); - } - clear_by_name: -- for (i = i - 1; i >= 0; i--) { -- if (!map_remove(g_metadata.by_name, (void *)opts->names[i])) { -- WARN("Remove name: %s failed", opts->names[i]); -+ // iterate over the names in reverse order, starting from the last name -+ // since i is an unsigned number, i traverses from inserted name len to 1 -+ for (; i > 0; i--) { -+ // the corresponding array index is [i - 1]: inserted name len - 1 -> 0 -+ if (!map_remove(g_metadata.by_name, (void *)opts->names[i - 1])) { -+ WARN("Remove name: %s failed", opts->names[i - 1]); - } - } - if (!map_remove(g_metadata.by_id, (void *)id)) { -@@ -1812,7 +1815,7 @@ void layer_store_exit() - static uint64_t payload_to_crc(char *payload) - { - int ret = 0; -- int i = 0; -+ size_t i = 0; - uint64_t crc = 0; - uint8_t *crc_sums = NULL; - size_t crc_sums_len = 0; -@@ -2232,7 +2235,7 @@ int remote_load_one_layer(const char *id) - { - int ret = 0; - layer_t *tl = NULL; -- int i = 0; -+ size_t i = 0; - - if (!layer_store_lock(true)) { - return -1; -diff --git a/src/daemon/modules/image/oci/storage/storage.c b/src/daemon/modules/image/oci/storage/storage.c -index aa442ecf..13f8bb53 100644 ---- a/src/daemon/modules/image/oci/storage/storage.c -+++ b/src/daemon/modules/image/oci/storage/storage.c -@@ -1538,7 +1538,7 @@ out: - - static bool is_rootfs_layer(const char *layer_id, const struct rootfs_list *all_rootfs) - { -- int j; -+ size_t j; - - if (all_rootfs == NULL || layer_id == NULL) { - return false; -diff --git a/src/daemon/modules/image/oci/utils_images.c b/src/daemon/modules/image/oci/utils_images.c -index a233c2b1..2c5656c6 100644 ---- a/src/daemon/modules/image/oci/utils_images.c -+++ b/src/daemon/modules/image/oci/utils_images.c -@@ -450,7 +450,7 @@ static char *convert_created_by(image_manifest_v1_compatibility *config) - int add_rootfs_and_history(const layer_blob *layers, size_t layers_len, const registry_manifest_schema1 *manifest, - docker_image_config_v2 *config) - { -- int i = 0; -+ size_t i = 0; - int ret = 0; - size_t history_index = 0; - parser_error err = NULL; -@@ -511,7 +511,7 @@ int add_rootfs_and_history(const layer_blob *layers, size_t layers_len, const re - - ret = util_array_append(&config->rootfs->diff_ids, layers[i].diff_id); - if (ret != 0) { -- ERROR("append diff id of layer %u to rootfs failed, diff id is %s", i, layers[i].diff_id); -+ ERROR("append diff id of layer %zu to rootfs failed, diff id is %s", i, layers[i].diff_id); - ret = -1; - goto out; - } -diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c -index 83d82201..1fa2559d 100644 ---- a/src/daemon/modules/service/service_container.c -+++ b/src/daemon/modules/service/service_container.c -@@ -320,7 +320,6 @@ static int write_env_content(const char *env_path, const char **env, size_t env_ - int fd = -1; - size_t i = 0; - ssize_t nret = 0; -- int env_max = 4096; - - ret = create_env_path_dir(env_path); - if (ret < 0) { -@@ -335,6 +334,7 @@ static int write_env_content(const char *env_path, const char **env, size_t env_ - } - if (env != NULL) { - for (i = 0; i < env_len; i++) { -+ size_t env_max = 4096; - if (strlen(env[i]) > env_max) { - ERROR("Env is too long"); - ret = -1; --- -2.25.1 - diff --git a/0018-make-sure-the-input-parameter-is-not-empty-and-optim.patch b/0018-make-sure-the-input-parameter-is-not-empty-and-optim.patch deleted file mode 100644 index 177c3b9..0000000 --- a/0018-make-sure-the-input-parameter-is-not-empty-and-optim.patch +++ /dev/null @@ -1,1575 +0,0 @@ -From c6442b5805d39d8749a1016e2932543a130f16dc Mon Sep 17 00:00:00 2001 -From: zhongtao -Date: Fri, 25 Aug 2023 17:34:12 +0800 -Subject: [PATCH 18/32] make sure the input parameter is not empty and optimize - the code - -Signed-off-by: zhongtao ---- - src/daemon/modules/api/image_api.h | 2 +- - src/daemon/modules/image/external/ext_image.c | 8 ++- - src/daemon/modules/image/image.c | 47 +++++++++++----- - src/daemon/modules/image/image_spec_merge.c | 2 +- - .../modules/image/oci/oci_common_operators.c | 9 ++- - src/daemon/modules/image/oci/oci_image.c | 8 +-- - src/daemon/modules/image/oci/oci_image.h | 2 +- - src/daemon/modules/image/oci/oci_image_type.h | 42 -------------- - src/daemon/modules/image/oci/oci_import.c | 1 + - src/daemon/modules/image/oci/oci_load.c | 10 +--- - src/daemon/modules/image/oci/oci_load.h | 2 +- - src/daemon/modules/image/oci/oci_login.c | 2 +- - src/daemon/modules/image/oci/oci_logout.c | 2 +- - src/daemon/modules/image/oci/oci_pull.c | 4 +- - .../image/oci/registry/registry_apiv2.c | 2 +- - .../oci/storage/image_store/image_store.c | 45 ++++++++++++--- - .../oci/storage/image_store/image_store.h | 4 +- - .../graphdriver/devmapper/deviceset.c | 10 ++-- - .../graphdriver/devmapper/driver_devmapper.c | 4 +- - .../graphdriver/devmapper/wrapper_devmapper.c | 14 +++-- - .../graphdriver/devmapper/wrapper_devmapper.h | 8 +-- - .../graphdriver/overlay2/driver_overlay2.c | 17 +++--- - .../graphdriver/overlay2/driver_overlay2.h | 2 - - .../image/oci/storage/layer_store/layer.c | 2 +- - .../image/oci/storage/layer_store/layer.h | 2 +- - .../oci/storage/layer_store/layer_store.c | 55 ++++++++----------- - .../oci/storage/layer_store/layer_store.h | 8 +-- - .../remote_layer_support/image_remote_impl.c | 12 +++- - .../remote_layer_support/layer_remote_impl.c | 10 ++++ - .../overlay_remote_impl.c | 10 ++++ - .../remote_layer_support/remote_support.c | 5 ++ - .../ro_symlink_maintain.c | 11 +++- - .../oci/storage/rootfs_store/rootfs_store.c | 8 +-- - .../oci/storage/rootfs_store/rootfs_store.h | 6 +- - .../modules/image/oci/storage/storage.c | 35 ++++++++++-- - .../modules/image/oci/storage/storage.h | 6 +- - src/daemon/modules/image/oci/utils_images.c | 7 ++- - src/daemon/modules/image/oci/utils_images.h | 2 +- - src/utils/http/http.h | 2 + - .../oci/storage/layers/storage_driver_ut.cc | 10 +--- - .../oci/storage/layers/storage_layers_ut.cc | 34 ------------ - test/mocks/driver_overlay2_mock.cc | 8 --- - test/mocks/driver_overlay2_mock.h | 1 - - 43 files changed, 251 insertions(+), 230 deletions(-) - delete mode 100644 src/daemon/modules/image/oci/oci_image_type.h - -diff --git a/src/daemon/modules/api/image_api.h b/src/daemon/modules/api/image_api.h -index 4bb8d1a9..2f2c00a2 100644 ---- a/src/daemon/modules/api/image_api.h -+++ b/src/daemon/modules/api/image_api.h -@@ -239,7 +239,7 @@ typedef struct { - - int image_module_init(const isulad_daemon_configs *args); - --void image_module_exit(); -+void image_module_exit(void); - - int im_get_container_filesystem_usage(const char *image_type, const char *id, imagetool_fs_info **fs_usage); - -diff --git a/src/daemon/modules/image/external/ext_image.c b/src/daemon/modules/image/external/ext_image.c -index e1706469..5b6b7298 100644 ---- a/src/daemon/modules/image/external/ext_image.c -+++ b/src/daemon/modules/image/external/ext_image.c -@@ -138,13 +138,17 @@ int ext_list_images(const im_list_request *request, imagetool_images_list **list - { - int ret = 0; - -+ if (request == NULL || list == NULL) { -+ ERROR("Empty request or list"); -+ return -1; -+ } -+ - *list = util_common_calloc_s(sizeof(imagetool_images_list)); - if (*list == NULL) { - ERROR("Memory out"); - ret = -1; -- goto out; - } --out: -+ - return ret; - } - -diff --git a/src/daemon/modules/image/image.c b/src/daemon/modules/image/image.c -index 322ab67c..408ceea2 100644 ---- a/src/daemon/modules/image/image.c -+++ b/src/daemon/modules/image/image.c -@@ -374,8 +374,8 @@ int im_resolv_image_name(const char *image_type, const char *image_name, char ** - int ret = -1; - const struct bim_type *q = NULL; - -- if (image_type == NULL) { -- ERROR("Image type is required"); -+ if (image_type == NULL || image_name == NULL || resolved_name == NULL) { -+ ERROR("Image type image_name and resolved_name is required"); - goto out; - } - q = get_bim_by_type(image_type); -@@ -402,8 +402,8 @@ int im_get_filesystem_info(const char *image_type, im_fs_info_response **respons - int ret = -1; - const struct bim_type *q = NULL; - -- if (image_type == NULL) { -- ERROR("Image type is required"); -+ if (image_type == NULL || response == NULL) { -+ ERROR("Image type and response is required"); - goto out; - } - -@@ -419,7 +419,7 @@ int im_get_filesystem_info(const char *image_type, im_fs_info_response **respons - INFO("Event: {Object: get image filesystem info, Type: inspecting}"); - ret = q->ops->get_filesystem_info(response); - if (ret != 0) { -- if (response != NULL && *response != NULL) { -+ if (*response != NULL && (*response)->errmsg != NULL) { - ERROR("Get filesystem info failed: %s", (*response)->errmsg); - } else { - ERROR("Get filesystem info failed"); -@@ -439,7 +439,7 @@ int im_get_container_filesystem_usage(const char *image_type, const char *id, im - const struct bim_type *q = NULL; - im_container_fs_usage_request *request = NULL; - -- if (image_type == NULL || id == NULL) { -+ if (image_type == NULL || id == NULL || fs_usage == NULL) { - ERROR("Invalid input arguments"); - ret = -1; - goto out; -@@ -763,6 +763,12 @@ bool im_config_image_exist(const char *image_name) - { - const struct bim_type *bim_type = NULL; - -+ if (image_name == NULL) { -+ ERROR("Invalid input arguments"); -+ isulad_set_error_message("Invalid input arguments"); -+ return false; -+ } -+ - bim_type = bim_query(image_name); - if (bim_type == NULL) { - ERROR("Config image %s not exist", image_name); -@@ -778,7 +784,7 @@ int im_merge_image_config(const char *image_type, const char *image_name, contai - int ret = 0; - struct bim *bim = NULL; - -- if (container_spec == NULL || image_type == NULL) { -+ if (container_spec == NULL || image_name == NULL || image_type == NULL) { - ERROR("Invalid input arguments"); - ret = -1; - goto out; -@@ -905,7 +911,7 @@ int im_list_images(const im_list_request *ctx, im_list_response **response) - size_t i; - imagetool_images_list *images_tmp = NULL; - -- if (response == NULL) { -+ if (ctx == NULL || response == NULL) { - ERROR("Empty arguments"); - return -1; - } -@@ -982,6 +988,12 @@ static bool check_im_pull_args(const im_pull_request *req, im_pull_response * co - isulad_set_error_message("Empty image required"); - return false; - } -+ -+ if (req->type == NULL) { -+ ERROR("Empty type required"); -+ isulad_set_error_message("Empty type required"); -+ return false; -+ } - return true; - } - -@@ -1079,7 +1091,7 @@ int im_import_image(const im_import_request *request, char **id) - return -1; - } - -- if (request->file == NULL) { -+ if (request->file == NULL || request->tag == NULL) { - ERROR("Import image requires image tarball file path"); - isulad_set_error_message("Import image requires image tarball file path"); - goto pack_response; -@@ -1185,7 +1197,8 @@ int im_load_image(const im_load_request *request, im_load_response **response) - - ret = bim->ops->load_image(request); - if (ret != 0) { -- ERROR("Failed to load image from %s with tag %s and type %s", request->file, request->tag, request->type); -+ // request->tag may be empty -+ ERROR("Failed to load image from %s with type %s", request->file, request->type); - ret = -1; - goto pack_response; - } -@@ -1368,11 +1381,16 @@ int im_logout(const im_logout_request *request, im_logout_response **response) - int ret = -1; - struct bim *bim = NULL; - -- if (response == NULL) { -+ if (request == NULL || response == NULL) { - ERROR("Empty response"); - return -1; - } - -+ if (request->type == NULL || request->server == NULL) { -+ ERROR("Empty type or server"); -+ return -1; -+ } -+ - *response = util_common_calloc_s(sizeof(im_logout_response)); - if (*response == NULL) { - ERROR("Out of memory"); -@@ -1842,13 +1860,12 @@ char *im_get_rootfs_dir(const im_get_rf_dir_request *request) - char *dir = NULL; - struct bim *bim = NULL; - -- if (request->type == NULL) { -+ if (request == NULL || request->type == NULL) { - ERROR("Missing image type"); - return NULL; - } - - bim = bim_get(request->type, NULL, NULL, NULL); -- - if (bim == NULL) { - ERROR("Failed to init bim, image type:%s", request->type); - return NULL; -@@ -1916,7 +1933,7 @@ int image_module_init(const isulad_daemon_configs *args) - return bims_init(args); - } - --void image_module_exit() -+void image_module_exit(void) - { - size_t i; - -@@ -2085,7 +2102,7 @@ int im_prepare_container_rootfs(const im_prepare_request *request, char **real_r - int nret = 0; - struct bim *bim = NULL; - -- if (request == NULL) { -+ if (request == NULL || real_rootfs == NULL) { - ERROR("Invalid input arguments"); - return -1; - } -diff --git a/src/daemon/modules/image/image_spec_merge.c b/src/daemon/modules/image/image_spec_merge.c -index e8cdae28..1e857bb7 100644 ---- a/src/daemon/modules/image/image_spec_merge.c -+++ b/src/daemon/modules/image/image_spec_merge.c -@@ -29,7 +29,7 @@ int image_spec_merge_env(const char **env, size_t env_len, container_config *con - char **im_kv = NULL; - char **custom_kv = NULL; - -- if (env == NULL || env_len == 0) { -+ if (env == NULL || env_len == 0 || container_spec == NULL) { - return 0; - } - -diff --git a/src/daemon/modules/image/oci/oci_common_operators.c b/src/daemon/modules/image/oci/oci_common_operators.c -index 83cccbe6..e15423e6 100644 ---- a/src/daemon/modules/image/oci/oci_common_operators.c -+++ b/src/daemon/modules/image/oci/oci_common_operators.c -@@ -57,7 +57,7 @@ char *oci_resolve_image_name(const char *name) - - int oci_get_user_conf(const char *basefs, host_config *hc, const char *userstr, defs_process_user *puser) - { -- if (basefs == NULL || puser == NULL) { -+ if (basefs == NULL || puser == NULL || hc == NULL) { - ERROR("Empty basefs or puser"); - return -1; - } -@@ -371,6 +371,11 @@ int oci_list_images(const im_list_request *request, imagetool_images_list **imag - int ret = 0; - struct filters_args *image_filters = NULL; - -+ if (request == NULL || images == NULL) { -+ ERROR("Empty request or images"); -+ return -1; -+ } -+ - if (request != NULL && request->image_filters != NULL) { - image_filters = request->image_filters; - } -@@ -408,7 +413,7 @@ int oci_summary_image(im_summary_request *request, im_summary_response *response - char *image_ref = NULL; - char *resolved_name = NULL; - -- if (response == NULL) { -+ if (request == NULL || response == NULL) { - ERROR("Invalid arguments"); - return -1; - } -diff --git a/src/daemon/modules/image/oci/oci_image.c b/src/daemon/modules/image/oci/oci_image.c -index 4a48016b..f712a446 100644 ---- a/src/daemon/modules/image/oci/oci_image.c -+++ b/src/daemon/modules/image/oci/oci_image.c -@@ -353,7 +353,7 @@ out: - return ret; - } - --void oci_exit() -+void oci_exit(void) - { - storage_module_exit(); - free_oci_image_data(); -@@ -396,7 +396,7 @@ int oci_prepare_rf(const im_prepare_request *request, char **real_rootfs) - { - int ret = 0; - -- if (request == NULL) { -+ if (request == NULL || request->container_id == NULL) { - ERROR("Bim is NULL"); - return -1; - } -@@ -457,7 +457,7 @@ int oci_mount_rf(const im_mount_request *request) - { - char *mount_point = NULL; - -- if (request == NULL) { -+ if (request == NULL || request->name_id == NULL) { - ERROR("Invalid arguments"); - return -1; - } -@@ -796,7 +796,7 @@ int oci_export_rf(const im_export_request *request) - { - int ret = 0; - -- if (request == NULL) { -+ if (request == NULL || request->name_id == NULL) { - ERROR("Invalid input arguments"); - return -1; - } -diff --git a/src/daemon/modules/image/oci/oci_image.h b/src/daemon/modules/image/oci/oci_image.h -index c52c8a7b..07f10c8d 100644 ---- a/src/daemon/modules/image/oci/oci_image.h -+++ b/src/daemon/modules/image/oci/oci_image.h -@@ -41,7 +41,7 @@ struct oci_image_module_data { - struct oci_image_module_data *get_oci_image_data(void); - - int oci_init(const isulad_daemon_configs *args); --void oci_exit(); -+void oci_exit(void); - - int oci_pull_rf(const im_pull_request *request, im_pull_response *response); - int oci_rmi(const im_rmi_request *request); -diff --git a/src/daemon/modules/image/oci/oci_image_type.h b/src/daemon/modules/image/oci/oci_image_type.h -deleted file mode 100644 -index f436a453..00000000 ---- a/src/daemon/modules/image/oci/oci_image_type.h -+++ /dev/null -@@ -1,42 +0,0 @@ --/****************************************************************************** -- * Copyright (c) Huawei Technologies Co., Ltd. 2018-2019. All rights reserved. -- * iSulad licensed under the Mulan PSL v2. -- * You can use this software according to the terms and conditions of the Mulan PSL v2. -- * You may obtain a copy of Mulan PSL v2 at: -- * http://license.coscl.org.cn/MulanPSL2 -- * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR -- * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR -- * PURPOSE. -- * See the Mulan PSL v2 for more details. -- * Author: lifeng -- * Create: 2018-11-08 -- * Description: provide image type definition -- ******************************************************************************/ -- --#ifndef DAEMON_MODULES_IMAGE_OCI_OCI_IMAGE_TYPE_H --#define DAEMON_MODULES_IMAGE_OCI_OCI_IMAGE_TYPE_H -- --#ifdef __cplusplus --extern "C" { --#endif -- --/* AuthConfig contains authorization information for connecting to a registry */ --typedef struct { -- char *username; -- char *password; -- char *auth; -- char *server_address; -- -- // IdentityToken is used to authenticate the user and get -- // an access token for the registry. -- char *identity_token; -- -- // RegistryToken is a bearer token to be sent to a registry -- char *registry_token; --} auth_config; -- --#ifdef __cplusplus --} --#endif -- --#endif -diff --git a/src/daemon/modules/image/oci/oci_import.c b/src/daemon/modules/image/oci/oci_import.c -index 93179504..1e14a916 100644 ---- a/src/daemon/modules/image/oci/oci_import.c -+++ b/src/daemon/modules/image/oci/oci_import.c -@@ -268,6 +268,7 @@ static int create_manifest(import_desc *desc) - manifest->layers[0]->size = desc->compressed_size; - manifest->layers[0]->digest = util_strdup_s(desc->compressed_digest); - -+ // the image manifest schema version is v2 - manifest->schema_version = 2; - manifest->media_type = util_strdup_s(DOCKER_MANIFEST_SCHEMA2_JSON); - -diff --git a/src/daemon/modules/image/oci/oci_load.c b/src/daemon/modules/image/oci/oci_load.c -index 5e062d44..569c5346 100644 ---- a/src/daemon/modules/image/oci/oci_load.c -+++ b/src/daemon/modules/image/oci/oci_load.c -@@ -851,20 +851,17 @@ static int64_t get_layer_size_from_storage(char *chain_id_pre) - id = oci_load_without_sha256_prefix(chain_id_pre); - if (id == NULL) { - ERROR("Get chain id failed from value:%s", chain_id_pre); -- size = -1; -- goto out; -+ return -1; - } - - l = storage_layer_get(id); - if (l == NULL) { - ERROR("Layer with chain id:%s is not exist in store", id); -- size = -1; -- goto out; -+ return -1; - } - - size = l->compress_size; - --out: - free_layer(l); - return size; - } -@@ -883,8 +880,7 @@ static int oci_load_set_manifest_info(load_image_t *im) - im->manifest = util_common_calloc_s(sizeof(oci_image_manifest)); - if (im->manifest == NULL) { - ERROR("Out of memory"); -- ret = -1; -- goto out; -+ return -1; - } - - im->manifest->schema_version = OCI_SCHEMA_VERSION; -diff --git a/src/daemon/modules/image/oci/oci_load.h b/src/daemon/modules/image/oci/oci_load.h -index e1e09067..53ca87d2 100644 ---- a/src/daemon/modules/image/oci/oci_load.h -+++ b/src/daemon/modules/image/oci/oci_load.h -@@ -1,5 +1,5 @@ - /****************************************************************************** --* Copyright (c) Huawei Technologies Co., Ltd. 2019. All rights reserved. -+* Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. - * iSulad licensed under the Mulan PSL v2. - * You can use this software according to the terms and conditions of the Mulan PSL v2. - * You may obtain a copy of Mulan PSL v2 at: -diff --git a/src/daemon/modules/image/oci/oci_login.c b/src/daemon/modules/image/oci/oci_login.c -index 22de9593..e9eec378 100644 ---- a/src/daemon/modules/image/oci/oci_login.c -+++ b/src/daemon/modules/image/oci/oci_login.c -@@ -1,5 +1,5 @@ - /****************************************************************************** --* Copyright (c) Huawei Technologies Co., Ltd. 2019. All rights reserved. -+* Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. - * iSulad licensed under the Mulan PSL v2. - * You can use this software according to the terms and conditions of the Mulan PSL v2. - * You may obtain a copy of Mulan PSL v2 at: -diff --git a/src/daemon/modules/image/oci/oci_logout.c b/src/daemon/modules/image/oci/oci_logout.c -index 02fdb126..f8a63220 100644 ---- a/src/daemon/modules/image/oci/oci_logout.c -+++ b/src/daemon/modules/image/oci/oci_logout.c -@@ -1,5 +1,5 @@ - /****************************************************************************** --* Copyright (c) Huawei Technologies Co., Ltd. 2019. All rights reserved. -+* Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. - * iSulad licensed under the Mulan PSL v2. - * You can use this software according to the terms and conditions of the Mulan PSL v2. - * You may obtain a copy of Mulan PSL v2 at: -diff --git a/src/daemon/modules/image/oci/oci_pull.c b/src/daemon/modules/image/oci/oci_pull.c -index 5b35ca2b..e7ff77df 100644 ---- a/src/daemon/modules/image/oci/oci_pull.c -+++ b/src/daemon/modules/image/oci/oci_pull.c -@@ -1,5 +1,5 @@ - /****************************************************************************** --* Copyright (c) Huawei Technologies Co., Ltd. 2019. All rights reserved. -+* Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. - * iSulad licensed under the Mulan PSL v2. - * You can use this software according to the terms and conditions of the Mulan PSL v2. - * You may obtain a copy of Mulan PSL v2 at: -@@ -70,7 +70,7 @@ out: - return ret; - } - --static void update_option_insecure_registry(registry_pull_options *options, char **insecure_registries, char *host) -+static void update_option_insecure_registry(registry_pull_options *options, char **insecure_registries, const char *host) - { - char **registry = NULL; - -diff --git a/src/daemon/modules/image/oci/registry/registry_apiv2.c b/src/daemon/modules/image/oci/registry/registry_apiv2.c -index 048fac94..db4d311e 100644 ---- a/src/daemon/modules/image/oci/registry/registry_apiv2.c -+++ b/src/daemon/modules/image/oci/registry/registry_apiv2.c -@@ -632,7 +632,7 @@ static int split_head_body(char *file, char **http_head) - } - body += strlen(deli); - -- ret = util_write_file(file, body, strlen(body), 0600); -+ ret = util_write_file(file, body, strlen(body), BODY_FILE_MODE); - if (ret != 0) { - ERROR("rewrite body to file failed"); - ret = -1; -diff --git a/src/daemon/modules/image/oci/storage/image_store/image_store.c b/src/daemon/modules/image/oci/storage/image_store/image_store.c -index 55e3bb97..b7e0f0cc 100644 ---- a/src/daemon/modules/image/oci/storage/image_store/image_store.c -+++ b/src/daemon/modules/image/oci/storage/image_store/image_store.c -@@ -146,7 +146,7 @@ static void free_image_store(image_store_t *store) - free(store); - } - --void image_store_free() -+void image_store_free(void) - { - free_image_store(g_image_store); - g_image_store = NULL; -@@ -1185,6 +1185,11 @@ int image_store_set_big_data(const char *id, const char *key, const char *data) - return -1; - } - -+ if (id == NULL || data == NULL) { -+ ERROR("Empty id or data"); -+ return -1; -+ } -+ - if (g_image_store == NULL) { - ERROR("Image store is not ready"); - return -1; -@@ -1287,7 +1292,7 @@ int image_store_add_name(const char *id, const char *name) - size_t i; - - if (id == NULL || name == NULL) { -- ERROR("Invalid input paratemer: id(%s), name(%s)", id, name); -+ ERROR("Invalid input paratemer"); - return -1; - } - -@@ -1515,7 +1520,7 @@ int image_store_set_metadata(const char *id, const char *metadata) - image_t *img = NULL; - - if (id == NULL || metadata == NULL) { -- ERROR("Invalid paratemer: id(%s), metadata(%s)", id, metadata); -+ ERROR("Invalid paratemer"); - return -1; - } - -@@ -1664,7 +1669,6 @@ char *image_store_big_data(const char *id, const char *key) - } - - ret = get_data_path(img->simage->id, key, filename, sizeof(filename)); -- - if (ret != 0) { - ERROR("Failed to get big data file path: %s.", key); - goto out; -@@ -1809,7 +1813,7 @@ char *image_store_big_data_digest(const char *id, const char *key) - image_t *img = NULL; - char *digest = NULL; - -- if (key == NULL || strlen(key) == 0) { -+ if (key == NULL || strlen(key) == 0 || id == NULL) { - ERROR("Not a valid name for a big data item, can't retrieve image big data value for empty name"); - return NULL; - } -@@ -1854,8 +1858,8 @@ int image_store_big_data_names(const char *id, char ***names, size_t *names_len) - int ret = 0; - image_t *img = NULL; - -- if (id == NULL) { -- ERROR("Invalid parameter, id is NULL"); -+ if (id == NULL || names == NULL || names_len == NULL) { -+ ERROR("Invalid parameter"); - return -1; - } - -@@ -2724,7 +2728,7 @@ unlock: - return ret; - } - --size_t image_store_get_images_number() -+size_t image_store_get_images_number(void) - { - size_t number = 0; - -@@ -3140,6 +3144,11 @@ int image_store_validate_manifest_schema_version_1(const char *path, bool *valid - char manifest_path[PATH_MAX] = { 0x00 }; - bool valid_v2_config = false; - -+ if (path == NULL || valid == NULL) { -+ ERROR("Empty path or valid"); -+ return -1; -+ } -+ - *valid = false; - nret = snprintf(manifest_path, sizeof(manifest_path), "%s/%s", path, IMAGE_DIGEST_BIG_DATA_KEY); - if (nret < 0 || (size_t)nret >= sizeof(manifest_path)) { -@@ -3698,6 +3707,11 @@ int remote_append_image_by_directory_with_lock(const char *id) - return -1; - } - -+ if (g_image_store == NULL) { -+ ERROR("Image store is not ready"); -+ return -1; -+ } -+ - if (!image_store_lock(EXCLUSIVE)) { - ERROR("Failed to lock remote image store when handle: %s", id); - return -1; -@@ -3732,6 +3746,11 @@ int remote_remove_image_from_memory_with_lock(const char *id) - return -1; - } - -+ if (g_image_store == NULL) { -+ ERROR("Image store is not ready"); -+ return -1; -+ } -+ - if (!image_store_lock(EXCLUSIVE)) { - ERROR("Failed to lock remote image store when handle: %s", id); - return -1; -@@ -3758,6 +3777,16 @@ char *remote_image_get_top_layer_from_json(const char *img_id) - storage_image *im = NULL; - parser_error err = NULL; - -+ if (img_id == NULL) { -+ ERROR("Empty img id"); -+ return NULL; -+ } -+ -+ if (g_image_store == NULL) { -+ ERROR("Image store is not ready"); -+ return NULL; -+ } -+ - nret = snprintf(image_path, sizeof(image_path), "%s/%s/%s", g_image_store->dir, img_id, IMAGE_JSON); - if (nret < 0 || (size_t)nret >= sizeof(image_path)) { - ERROR("Failed to get image path"); -diff --git a/src/daemon/modules/image/oci/storage/image_store/image_store.h b/src/daemon/modules/image/oci/storage/image_store/image_store.h -index 5164cc73..019a2881 100644 ---- a/src/daemon/modules/image/oci/storage/image_store/image_store.h -+++ b/src/daemon/modules/image/oci/storage/image_store/image_store.h -@@ -98,13 +98,13 @@ int image_store_set_image_size(const char *id, uint64_t size); - int image_store_get_all_images(imagetool_images_list *images_list); - - // On success, the number of the known images is returned. On failure, (size_t)-1 is returned --size_t image_store_get_images_number(); -+size_t image_store_get_images_number(void); - - // Retrieves image file system info - int image_store_get_fs_info(imagetool_fs_info *fs_info); - - // Free memory of image store, but will not delete the persisted files --void image_store_free(); -+void image_store_free(void); - - imagetool_image_summary *image_store_get_image_summary(const char *id); - -diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c -index 4f19c26d..79541e54 100644 ---- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c -+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c -@@ -499,14 +499,14 @@ bool has_metadata(const char *hash, struct device_set *devset) - bool ret = true; - int nret = 0; - -- if (hash == NULL) { -+ if (hash == NULL || devset == NULL) { - return true; - } - - metadata_path = metadata_dir(devset); - if (metadata_path == NULL) { - ERROR("Failed to get meta data directory"); -- goto out; -+ return false; - } - - nret = snprintf(metadata_file, sizeof(metadata_file), "%s/%s", metadata_path, util_valid_str(hash) ? hash : "base"); -@@ -541,7 +541,7 @@ static image_devmapper_device_info *load_metadata(const struct device_set *devse - metadata_path = metadata_dir(devset); - if (metadata_path == NULL) { - ERROR("Failed to get meta data directory"); -- goto out; -+ return NULL; - } - - nret = snprintf(metadata_file, sizeof(metadata_file), "%s/%s", metadata_path, util_valid_str(hash) ? hash : "base"); -@@ -3076,7 +3076,7 @@ int mount_device(const char *hash, const char *path, const struct driver_mount_o - char *dev_fname = NULL; - char *options = NULL; - -- if (hash == NULL || path == NULL) { -+ if (hash == NULL || path == NULL || devset == NULL) { - ERROR("devmapper: invalid input params to mount device"); - return -1; - } -@@ -3236,7 +3236,7 @@ int export_device_metadata(struct device_metadata *dev_metadata, const char *has - char *dm_name = NULL; - devmapper_device_info_t *device_info = NULL; - -- if (hash == NULL || dev_metadata == NULL) { -+ if (hash == NULL || dev_metadata == NULL || devset == NULL) { - ERROR("Invalid input params"); - return -1; - } -diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/driver_devmapper.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/driver_devmapper.c -index ecb62f79..d62d3133 100644 ---- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/driver_devmapper.c -+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/driver_devmapper.c -@@ -198,7 +198,7 @@ int devmapper_rm_layer(const char *id, const struct graphdriver *driver) - } - - if (delete_device(id, false, driver->devset) != 0) { -- ERROR("failed to remove device %s", id); -+ ERROR("Failed to remove device %s", id); - return -1; - } - -@@ -624,7 +624,7 @@ int devmapper_clean_up(struct graphdriver *driver) - { - int ret = 0; - -- if (driver == NULL) { -+ if (driver == NULL || driver->devset == NULL || driver->home == NULL) { - ERROR("Invalid input param to cleanup devicemapper"); - return -1; - } -diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.c -index e91ddd1e..e22311f1 100644 ---- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.c -+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.c -@@ -192,7 +192,7 @@ cleanup: - return NULL; - } - --char *dev_get_driver_version() -+char *dev_get_driver_version(void) - { - struct dm_task *dmt = NULL; - char *version = NULL; -@@ -234,7 +234,7 @@ cleanup: - } - - // dev_get_library_version return the device mapper library version --char *dev_get_library_version() -+char *dev_get_library_version(void) - { - char version[128] = { 0 }; - -@@ -679,7 +679,7 @@ cleanup: - return ret; - } - --bool udev_sync_supported() -+bool udev_sync_supported(void) - { - return dm_udev_get_sync_support() != 0; - } -@@ -705,7 +705,8 @@ int dev_create_device(const char *pool_fname, int device_id) - int ret = 0; - int nret = 0; - uint64_t sector = 0; -- char message[PATH_MAX] = { 0 }; // 临时字符缓冲区上限 -+ // temporary character buffer limit -+ char message[PATH_MAX] = { 0 }; - struct dm_task *dmt = NULL; - - if (pool_fname == NULL) { -@@ -1066,7 +1067,7 @@ static void log_cb(int level, const char *file, int line, int dm_errno_or_class, - free(buffer); - } - --void log_with_errno_init() -+void log_with_errno_init(void) - { - dm_log_with_errno_init(log_cb); - } -@@ -1136,7 +1137,8 @@ int dev_set_transaction_id(const char *pool_name, uint64_t old_id, uint64_t new_ - int ret = 0; - int nret = 0; - uint64_t sector = 0; -- char message[PATH_MAX] = { 0 }; // 临时字符缓冲区上限 -+ // temporary character buffer limit -+ char message[PATH_MAX] = { 0 }; - struct dm_task *dmt = NULL; - - if (pool_name == NULL) { -diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.h b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.h -index e8acebc0..01771a3b 100644 ---- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.h -+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.h -@@ -96,11 +96,11 @@ int set_dev_dir(const char *dir); - - struct dm_task* task_create_named(int type, const char *name); - --void log_with_errno_init(); -+void log_with_errno_init(void); - --char *dev_get_driver_version(); -+char *dev_get_driver_version(void); - --char *dev_get_library_version(); -+char *dev_get_library_version(void); - - int dev_get_status(uint64_t *start, uint64_t *length, char **target_type, char **params, const char *name); - -@@ -112,7 +112,7 @@ int dev_remove_device_deferred(const char *name); - - int dev_get_device_list(char ***list, size_t *length); - --bool udev_sync_supported(); -+bool udev_sync_supported(void); - - bool udev_set_sync_support(bool enable); - -diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c -index 3b27076c..ced30b96 100644 ---- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c -+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c -@@ -405,12 +405,6 @@ out: - return ret; - } - --bool overlay2_is_quota_options(struct graphdriver *driver, const char *option) --{ -- return strncmp(option, QUOTA_SIZE_OPTION, strlen(QUOTA_SIZE_OPTION)) == 0 || -- strncmp(option, QUOTA_BASESIZE_OPTIONS, strlen(QUOTA_BASESIZE_OPTIONS)) == 0; --} -- - static int check_parent_valid(const char *parent, const struct graphdriver *driver) - { - int ret = 0; -@@ -1158,7 +1152,7 @@ int overlay2_rm_layer(const char *id, const struct graphdriver *driver) - struct stat stat_buf; - #endif - -- if (id == NULL || driver == NULL) { -+ if (id == NULL || driver == NULL || driver->home == NULL) { - ERROR("Invalid input arguments"); - return -1; - } -@@ -1844,6 +1838,11 @@ bool overlay2_layer_exists(const char *id, const struct graphdriver *driver) - char *layer_dir = NULL; - char *link_id = NULL; - -+ if (id == NULL || driver == NULL || driver->home == NULL) { -+ ERROR("Failed to verify overlay2 layer exists for empty id or driver"); -+ return false; -+ } -+ - layer_dir = util_path_join(driver->home, id); - if (layer_dir == NULL) { - ERROR("Failed to join layer dir:%s", id); -@@ -2075,7 +2074,7 @@ int overlay2_get_driver_status(const struct graphdriver *driver, struct graphdri - int nret = 0; - char tmp[MAX_INFO_LENGTH] = { 0 }; - -- if (driver == NULL || status == NULL) { -+ if (driver == NULL || status == NULL || driver->backing_fs == NULL) { - ERROR("Invalid input arguments"); - return -1; - } -@@ -2117,7 +2116,7 @@ int overlay2_clean_up(struct graphdriver *driver) - { - int ret = 0; - -- if (driver == NULL) { -+ if (driver == NULL || driver->home == NULL) { - ERROR("Invalid input arguments"); - ret = -1; - goto out; -diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.h b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.h -index e14271b1..438c508e 100644 ---- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.h -+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.h -@@ -35,8 +35,6 @@ extern "C" { - - int overlay2_init(struct graphdriver *driver, const char *driver_home, const char **options, size_t len); - --bool overlay2_is_quota_options(struct graphdriver *driver, const char *option); -- - int overlay2_create_rw(const char *id, const char *parent, const struct graphdriver *driver, - struct driver_create_opts *create_opts); - -diff --git a/src/daemon/modules/image/oci/storage/layer_store/layer.c b/src/daemon/modules/image/oci/storage/layer_store/layer.c -index 4baeb7c2..4beb3d10 100644 ---- a/src/daemon/modules/image/oci/storage/layer_store/layer.c -+++ b/src/daemon/modules/image/oci/storage/layer_store/layer.c -@@ -46,7 +46,7 @@ void free_layer_t(layer_t *ptr) - free(ptr); - } - --layer_t *create_empty_layer() -+layer_t *create_empty_layer(void) - { - layer_t *result = NULL; - int nret = 0; -diff --git a/src/daemon/modules/image/oci/storage/layer_store/layer.h b/src/daemon/modules/image/oci/storage/layer_store/layer.h -index f2dad648..9387efe0 100644 ---- a/src/daemon/modules/image/oci/storage/layer_store/layer.h -+++ b/src/daemon/modules/image/oci/storage/layer_store/layer.h -@@ -43,7 +43,7 @@ typedef struct _layer_t_ { - uint64_t refcnt; - } layer_t; - --layer_t *create_empty_layer(); -+layer_t *create_empty_layer(void); - - void free_layer_t(layer_t *ptr); - void layer_ref_inc(layer_t *layer); -diff --git a/src/daemon/modules/image/oci/storage/layer_store/layer_store.c b/src/daemon/modules/image/oci/storage/layer_store/layer_store.c -index 6ea3c48b..3ffe0ca7 100644 ---- a/src/daemon/modules/image/oci/storage/layer_store/layer_store.c -+++ b/src/daemon/modules/image/oci/storage/layer_store/layer_store.c -@@ -117,7 +117,7 @@ static inline void layer_store_unlock() - } - } - --void layer_store_cleanup() -+void layer_store_cleanup(void) - { - struct linked_list *item = NULL; - struct linked_list *next = NULL; -@@ -230,7 +230,7 @@ static inline void delete_g_layer_list_item(struct linked_list *item, bool rm_va - g_metadata.layers_list_len -= 1; - } - --void remove_layer_list_tail() -+void remove_layer_list_tail(void) - { - struct linked_list *item = NULL; - -@@ -1231,18 +1231,6 @@ int layer_store_delete(const char *id) - return ret; - } - --bool layer_store_exists(const char *id) --{ -- layer_t *l = lookup_with_lock(id); -- -- if (l == NULL) { -- return false; -- } -- -- layer_ref_dec(l); -- return true; --} -- - static void copy_json_to_layer(const layer_t *jl, struct layer *l) - { - if (jl->slayer == NULL) { -@@ -1354,7 +1342,7 @@ int layer_store_by_compress_digest(const char *digest, struct layer_list *resp) - { - int ret = 0; - -- if (resp == NULL) { -+ if (digest == NULL || resp == NULL) { - return -1; - } - -@@ -1367,22 +1355,6 @@ int layer_store_by_compress_digest(const char *digest, struct layer_list *resp) - return ret; - } - --int layer_store_by_uncompress_digest(const char *digest, struct layer_list *resp) --{ -- int ret = 0; -- -- if (resp == NULL) { -- return -1; -- } -- if (!layer_store_lock(false)) { -- return -1; -- } -- -- ret = layers_by_digest_map(g_metadata.by_uncompress_digest, digest, resp); -- layer_store_unlock(); -- return ret; --} -- - struct layer *layer_store_lookup(const char *name) - { - struct layer *ret = NULL; -@@ -1492,6 +1464,10 @@ int layer_store_try_repair_lowers(const char *id) - layer_t *l = NULL; - int ret = 0; - -+ if (id == NULL) { -+ return -1; -+ } -+ - l = lookup_with_lock(id); - if (l == NULL) { - return -1; -@@ -1807,7 +1783,7 @@ free_out: - return -1; - } - --void layer_store_exit() -+void layer_store_exit(void) - { - graphdriver_cleanup(); - } -@@ -2116,6 +2092,11 @@ int layer_store_check(const char *id) - int ret = 0; - char *rootfs = NULL; - -+ if (id == NULL) { -+ ERROR("Failed to do layer store check for Empty id"); -+ return -1; -+ } -+ - layer_t *l = lookup_with_lock(id); - if (l == NULL || l->slayer == NULL) { - ERROR("layer %s not found when checking integration", id); -@@ -2157,6 +2138,11 @@ int remote_layer_remove_memory_stores_with_lock(const char *id) - { - int ret = 0; - -+ if (id == NULL) { -+ ERROR("Failed to lock layer store for empty id"); -+ return -1; -+ } -+ - if (!layer_store_lock(true)) { - ERROR("Failed to lock layer store when handle: %s", id); - return -1; -@@ -2237,6 +2223,11 @@ int remote_load_one_layer(const char *id) - layer_t *tl = NULL; - size_t i = 0; - -+ if (id == NULL) { -+ ERROR("Failed to do remote load one layer for empty id"); -+ return -1; -+ } -+ - if (!layer_store_lock(true)) { - return -1; - } -diff --git a/src/daemon/modules/image/oci/storage/layer_store/layer_store.h b/src/daemon/modules/image/oci/storage/layer_store/layer_store.h -index be8c52dc..20287119 100644 ---- a/src/daemon/modules/image/oci/storage/layer_store/layer_store.h -+++ b/src/daemon/modules/image/oci/storage/layer_store/layer_store.h -@@ -51,20 +51,18 @@ struct layer_opts { - }; - - int layer_store_init(const struct storage_module_init_options *conf); --void layer_store_exit(); --void layer_store_cleanup(); -+void layer_store_exit(void); -+void layer_store_cleanup(void); - --void remove_layer_list_tail(); -+void remove_layer_list_tail(void); - int layer_store_create(const char *id, const struct layer_opts *opts, const struct io_read_wrapper *content, - char **new_id); - int layer_inc_hold_refs(const char *layer_id); - int layer_dec_hold_refs(const char *layer_id); - int layer_get_hold_refs(const char *layer_id, int *ref_num); - int layer_store_delete(const char *id); --bool layer_store_exists(const char *id); - int layer_store_list(struct layer_list *resp); - int layer_store_by_compress_digest(const char *digest, struct layer_list *resp); --int layer_store_by_uncompress_digest(const char *digest, struct layer_list *resp); - struct layer *layer_store_lookup(const char *name); - char *layer_store_mount(const char *id); - int layer_store_umount(const char *id, bool force); -diff --git a/src/daemon/modules/image/oci/storage/remote_layer_support/image_remote_impl.c b/src/daemon/modules/image/oci/storage/remote_layer_support/image_remote_impl.c -index b4a53ec1..07c4a5cc 100644 ---- a/src/daemon/modules/image/oci/storage/remote_layer_support/image_remote_impl.c -+++ b/src/daemon/modules/image/oci/storage/remote_layer_support/image_remote_impl.c -@@ -1,5 +1,5 @@ - /****************************************************************************** -- * Copyright (c) Huawei Technologies Co., Ltd. 2020-2023. All rights reserved. -+ * Copyright (c) Huawei Technologies Co., Ltd. 2023. All rights reserved. - * iSulad licensed under the Mulan PSL v2. - * You can use this software according to the terms and conditions of the Mulan PSL v2. - * You may obtain a copy of Mulan PSL v2 at: -@@ -31,6 +31,11 @@ static map_t *image_byid_new = NULL; - - struct remote_image_data *remote_image_create(const char *remote_home, const char *remote_ro) - { -+ if (remote_home == NULL) { -+ ERROR("Empty remote home"); -+ return NULL; -+ } -+ - struct remote_image_data *data = util_common_calloc_s(sizeof(struct remote_image_data)); - if (data == NULL) { - ERROR("Out of memory"); -@@ -204,6 +209,11 @@ static int remote_image_add(void *data) - - void remote_image_refresh(struct remote_image_data *data) - { -+ if (data == NULL) { -+ ERROR("Skip refresh remote image for empty data"); -+ return; -+ } -+ - if (remote_dir_scan(data) != 0) { - ERROR("remote overlay failed to scan dir, skip refresh"); - return; -diff --git a/src/daemon/modules/image/oci/storage/remote_layer_support/layer_remote_impl.c b/src/daemon/modules/image/oci/storage/remote_layer_support/layer_remote_impl.c -index b1a1e944..7527f1e4 100644 ---- a/src/daemon/modules/image/oci/storage/remote_layer_support/layer_remote_impl.c -+++ b/src/daemon/modules/image/oci/storage/remote_layer_support/layer_remote_impl.c -@@ -31,6 +31,11 @@ static map_t *layer_byid_new = NULL; - - struct remote_layer_data *remote_layer_create(const char *layer_home, const char *layer_ro) - { -+ if (layer_home == NULL || layer_ro == NULL) { -+ ERROR("Empty layer home or layer ro"); -+ return NULL; -+ } -+ - struct remote_layer_data *data = util_common_calloc_s(sizeof(struct remote_layer_data)); - if (data == NULL) { - ERROR("Out of memory"); -@@ -232,6 +237,11 @@ static int remote_layer_add(struct remote_layer_data *data) - - void remote_layer_refresh(struct remote_layer_data *data) - { -+ if (data == NULL) { -+ ERROR("Skip refresh remote layer for empty data"); -+ return; -+ } -+ - if (remote_dir_scan(data) != 0) { - ERROR("remote layer failed to scan dir, skip refresh"); - return; -diff --git a/src/daemon/modules/image/oci/storage/remote_layer_support/overlay_remote_impl.c b/src/daemon/modules/image/oci/storage/remote_layer_support/overlay_remote_impl.c -index e44c64ef..38d9b0ce 100644 ---- a/src/daemon/modules/image/oci/storage/remote_layer_support/overlay_remote_impl.c -+++ b/src/daemon/modules/image/oci/storage/remote_layer_support/overlay_remote_impl.c -@@ -37,6 +37,11 @@ static map_t *overlay_id_link = NULL; - - struct remote_overlay_data *remote_overlay_create(const char *remote_home, const char *remote_ro) - { -+ if (remote_home == NULL || remote_ro == NULL) { -+ ERROR("Empty remote home or remote ro"); -+ return NULL; -+ } -+ - struct remote_overlay_data *data = util_common_calloc_s(sizeof(struct remote_overlay_data)); - if (data == NULL) { - ERROR("Out of memory"); -@@ -341,6 +346,11 @@ static int remote_overlay_add(struct remote_overlay_data *data) - - void remote_overlay_refresh(struct remote_overlay_data *data) - { -+ if (data == NULL) { -+ ERROR("Skip refresh remote overlay for empty data"); -+ return; -+ } -+ - if (remote_dir_scan(data) != 0) { - ERROR("remote overlay failed to scan dir, skip refresh"); - return; -diff --git a/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.c b/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.c -index 1bac8dd5..5bf9869b 100644 ---- a/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.c -+++ b/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.c -@@ -87,6 +87,11 @@ int remote_start_refresh_thread(pthread_rwlock_t *remote_lock) - pthread_t a_thread; - maintain_context ctx = get_maintain_context(); - -+ if (remote_lock == NULL) { -+ ERROR("Invalid remote lock"); -+ return -1; -+ } -+ - supporters.image_data = remote_image_create(ctx.image_home, NULL); - if (supporters.image_data == NULL) { - goto free_out; -diff --git a/src/daemon/modules/image/oci/storage/remote_layer_support/ro_symlink_maintain.c b/src/daemon/modules/image/oci/storage/remote_layer_support/ro_symlink_maintain.c -index 4d234aab..ea40ae45 100644 ---- a/src/daemon/modules/image/oci/storage/remote_layer_support/ro_symlink_maintain.c -+++ b/src/daemon/modules/image/oci/storage/remote_layer_support/ro_symlink_maintain.c -@@ -37,6 +37,8 @@ static char *layer_home; - static char *overlay_ro_dir; - static char *overlay_home; - -+#define LAYER_RO_DIR_MODE 0700 -+ - int remote_image_init(const char *root_dir) - { - if (root_dir == NULL) { -@@ -67,7 +69,7 @@ int remote_layer_init(const char *root_dir) - ERROR("Failed join path when init remote layer maintainer"); - goto out; - } -- if (!util_file_exists(layer_ro_dir) && util_mkdir_p(layer_ro_dir, 0700) != 0) { -+ if (!util_file_exists(layer_ro_dir) && util_mkdir_p(layer_ro_dir, LAYER_RO_DIR_MODE) != 0) { - ERROR("Failed to create RO dir under overlay"); - goto out; - } -@@ -127,6 +129,11 @@ static int do_build_ro_dir(const char *home, const char *id) - int nret = 0; - int ret = 0; - -+ if (home == NULL || id == NULL) { -+ ERROR("Empty home or id"); -+ return -1; -+ } -+ - nret = asprintf(&ro_symlink, "%s/%s", home, id); - if (nret < 0 || nret > PATH_MAX) { - SYSERROR("Failed create ro layer dir sym link path"); -@@ -183,7 +190,7 @@ int do_remove_ro_dir(const char *home, const char *id) - int ret = 0; - int nret = 0; - -- if (id == NULL) { -+ if (home == NULL || id == NULL) { - return 0; - } - -diff --git a/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.c b/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.c -index ee1e15d0..7ed07029 100644 ---- a/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.c -+++ b/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.c -@@ -121,7 +121,7 @@ static void free_rootfs_store(rootfs_store_t *store) - free(store); - } - --void rootfs_store_free() -+void rootfs_store_free(void) - { - free_rootfs_store(g_rootfs_store); - g_rootfs_store = NULL; -@@ -1085,7 +1085,7 @@ out: - return ret; - } - --int rootfs_store_wipe() -+int rootfs_store_wipe(void) - { - int ret = 0; - char *id = NULL; -@@ -1125,7 +1125,7 @@ int rootfs_store_set_metadata(const char *id, const char *metadata) - cntrootfs_t *cntr = NULL; - - if (id == NULL || metadata == NULL) { -- ERROR("Invalid paratemer: id(%s), metadata(%s)", id, metadata); -+ ERROR("Invalid paratemer"); - return -1; - } - -@@ -1331,7 +1331,7 @@ out: - return ret; - } - --char *rootfs_store_get_data_dir() -+char *rootfs_store_get_data_dir(void) - { - return util_strdup_s(g_rootfs_store->dir); - } -\ No newline at end of file -diff --git a/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.h b/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.h -index c23af091..63f3294b 100644 ---- a/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.h -+++ b/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.h -@@ -48,7 +48,7 @@ char *rootfs_store_lookup(const char *id); - int rootfs_store_delete(const char *id); - - // Remove records of all containers --int rootfs_store_wipe(); -+int rootfs_store_wipe(void); - - // Updates the metadata associated with the item with the specified ID. - int rootfs_store_set_metadata(const char *id, const char *metadata); -@@ -66,10 +66,10 @@ storage_rootfs *rootfs_store_get_rootfs(const char *id); - int rootfs_store_get_all_rootfs(struct rootfs_list *all_rootfs); - - // Return rootfs store data dir --char *rootfs_store_get_data_dir(); -+char *rootfs_store_get_data_dir(void); - - // Free memory of container store, but will not delete the persisted files --void rootfs_store_free(); -+void rootfs_store_free(void); - - #ifdef __cplusplus - } -diff --git a/src/daemon/modules/image/oci/storage/storage.c b/src/daemon/modules/image/oci/storage/storage.c -index 13f8bb53..255ec89c 100644 ---- a/src/daemon/modules/image/oci/storage/storage.c -+++ b/src/daemon/modules/image/oci/storage/storage.c -@@ -194,6 +194,11 @@ int storage_inc_hold_refs(const char *layer_id) - { - int ret = 0; - -+ if (layer_id == NULL) { -+ ERROR("Empty layer id"); -+ return -1; -+ } -+ - if (!storage_lock(&g_storage_rwlock, true)) { - ERROR("Failed to lock image store when increase hold refs number for layer %s", layer_id); - return -1; -@@ -209,6 +214,11 @@ int storage_inc_hold_refs(const char *layer_id) - int storage_dec_hold_refs(const char *layer_id) - { - int ret = 0; -+ -+ if (layer_id == NULL) { -+ ERROR("Empty layer id"); -+ return -1; -+ } - - if (!storage_lock(&g_storage_rwlock, true)) { - ERROR("Failed to lock image store when decrease hold refs number for layer %s", layer_id); -@@ -284,6 +294,11 @@ struct layer_list *storage_layers_get_by_compress_digest(const char *digest) - int ret = 0; - struct layer_list *layers = NULL; - -+ if (digest == NULL) { -+ ERROR("Empty digest"); -+ return NULL; -+ } -+ - layers = util_common_calloc_s(sizeof(struct layer_list)); - if (layers == NULL) { - ERROR("Out of memory"); -@@ -539,7 +554,7 @@ char *storage_img_get_image_id(const char *img_name) - return image_store_lookup(img_name); - } - --bool is_top_layer_of_other_image(const char *img_id, const imagetool_images_list *all_images, const char *layer_id) -+static bool is_top_layer_of_other_image(const char *img_id, const imagetool_images_list *all_images, const char *layer_id) - { - size_t i = 0; - -@@ -913,6 +928,11 @@ int storage_img_set_image_size(const char *image_id) - int ret = 0; - int64_t image_size = 0; - -+ if (image_id == NULL) { -+ ERROR("Empty image id"); -+ return -1; -+ } -+ - image_size = storage_img_cal_image_size(image_id); - if (image_size < 0) { - ERROR("Failed to get image %s size", image_id); -@@ -961,7 +981,7 @@ bool storage_image_exist(const char *image_or_id) - return image_store_exists(image_or_id); - } - --size_t storage_get_img_count() -+size_t storage_get_img_count(void) - { - return image_store_get_images_number(); - } -@@ -1250,8 +1270,8 @@ int storage_rootfs_fs_usgae(const char *container_id, imagetool_fs_info *fs_info - } - - rootfs_info = rootfs_store_get_rootfs(container_id); -- if (rootfs_info == NULL) { -- ERROR("Failed to get rootfs %s info", container_id); -+ if (rootfs_info == NULL || rootfs_info->layer == NULL) { -+ ERROR("Failed to get valid rootfs %s info", container_id); - ret = -1; - goto out; - } -@@ -1278,7 +1298,7 @@ char *storage_rootfs_mount(const char *container_id) - } - - rootfs_info = rootfs_store_get_rootfs(container_id); -- if (rootfs_info == NULL) { -+ if (rootfs_info == NULL || rootfs_info->layer == NULL) { - ERROR("Failed to get rootfs %s info", container_id); - goto out; - } -@@ -1726,6 +1746,11 @@ container_inspect_graph_driver *storage_get_metadata_by_container_id(const char - storage_rootfs *rootfs_info = NULL; - container_inspect_graph_driver *container_metadata = NULL; - -+ if (id == NULL) { -+ ERROR("Empty id"); -+ return NULL; -+ } -+ - rootfs_info = rootfs_store_get_rootfs(id); - if (rootfs_info == NULL) { - ERROR("Failed to get rootfs %s info", id); -diff --git a/src/daemon/modules/image/oci/storage/storage.h b/src/daemon/modules/image/oci/storage/storage.h -index a761938c..718f7eff 100644 ---- a/src/daemon/modules/image/oci/storage/storage.h -+++ b/src/daemon/modules/image/oci/storage/storage.h -@@ -119,7 +119,7 @@ typedef struct storage_layer_create_opts { - - int storage_module_init(struct storage_module_init_options *opts); - --void storage_module_exit(); -+void storage_module_exit(void); - - void free_storage_module_init_options(struct storage_module_init_options *opts); - -@@ -153,7 +153,7 @@ int storage_img_set_image_size(const char *image_id); - - char *storage_get_img_top_layer(const char *id); - --size_t storage_get_img_count(); -+size_t storage_get_img_count(void); - - char *storage_img_get_image_id(const char *img_name); - -@@ -191,7 +191,7 @@ char *storage_rootfs_mount(const char *container_id); - - int storage_rootfs_umount(const char *container_id, bool force); - --char *storage_rootfs_get_dir(); -+char *storage_rootfs_get_dir(void); - - container_inspect_graph_driver *storage_get_metadata_by_container_id(const char *id); - -diff --git a/src/daemon/modules/image/oci/utils_images.c b/src/daemon/modules/image/oci/utils_images.c -index 2c5656c6..f8fd1e73 100644 ---- a/src/daemon/modules/image/oci/utils_images.c -+++ b/src/daemon/modules/image/oci/utils_images.c -@@ -247,7 +247,7 @@ int oci_split_image_name(const char *image_name, char **host, char **name, char - return 0; - } - --char *get_hostname_to_strip() -+char *get_hostname_to_strip(void) - { - char *name = NULL; - -@@ -320,6 +320,11 @@ char *make_big_data_base_name(const char *key) - char *base_name = NULL; - size_t name_size; - -+ if (key == NULL) { -+ ERROR("Empty key"); -+ return NULL; -+ } -+ - if (should_use_origin_name(key)) { - return util_strdup_s(key); - } -diff --git a/src/daemon/modules/image/oci/utils_images.h b/src/daemon/modules/image/oci/utils_images.h -index 97879e41..2238bb91 100644 ---- a/src/daemon/modules/image/oci/utils_images.h -+++ b/src/daemon/modules/image/oci/utils_images.h -@@ -57,7 +57,7 @@ int oci_split_search_name(const char *search_name, char **host, char **name); - - char *oci_get_isulad_tmpdir(const char *root_dir); - int makesure_isulad_tmpdir_perm_right(const char *root_dir); --char *get_hostname_to_strip(); -+char *get_hostname_to_strip(void); - - char *oci_image_digest_pos(const char *name); - -diff --git a/src/utils/http/http.h b/src/utils/http/http.h -index cdd6d64f..02d56ba8 100644 ---- a/src/utils/http/http.h -+++ b/src/utils/http/http.h -@@ -107,6 +107,8 @@ struct http_get_options { - #define AUTHZ_UNIX_SOCK "/run/isulad/plugins/authz-broker.sock" - #define AUTHZ_REQUEST_URL "http://localhost/isulad.auth" - -+#define BODY_FILE_MODE 0600 -+ - /* http response code */ - enum http_response_code { - StatusContinue = 100, // RFC 7231, 6.2.1 -diff --git a/test/image/oci/storage/layers/storage_driver_ut.cc b/test/image/oci/storage/layers/storage_driver_ut.cc -index ae9f4df1..943fa073 100644 ---- a/test/image/oci/storage/layers/storage_driver_ut.cc -+++ b/test/image/oci/storage/layers/storage_driver_ut.cc -@@ -269,12 +269,4 @@ TEST_F(StorageDriverUnitTest, test_graphdriver_try_repair_lowers) - - std::string id { "1be74353c3d0fd55fb5638a52953e6f1bc441e5b1710921db9ec2aa202725569" }; - ASSERT_EQ(graphdriver_try_repair_lowers(id.c_str(), nullptr), 0); --} -- --TEST(StorageOverlay2QuotaOptionsTest, test_overlay2_is_quota_options) --{ -- std::vector options { "overlay2.size", "overlay2.basesize" }; -- for (auto option : options) { -- ASSERT_TRUE(overlay2_is_quota_options(nullptr, option.c_str())); -- } --} -+} -\ No newline at end of file -diff --git a/test/image/oci/storage/layers/storage_layers_ut.cc b/test/image/oci/storage/layers/storage_layers_ut.cc -index fca37e83..73611fdc 100644 ---- a/test/image/oci/storage/layers/storage_layers_ut.cc -+++ b/test/image/oci/storage/layers/storage_layers_ut.cc -@@ -278,19 +278,6 @@ TEST_F(StorageLayersUnitTest, test_layers_load) - free_layer_list(layer_list); - } - --TEST_F(StorageLayersUnitTest, test_layer_store_exists) --{ -- if (!support_overlay) { -- return; -- } -- -- std::string id { "7db8f44a0a8e12ea4283e3180e98880007efbd5de2e7c98b67de9cdd4dfffb0b" }; -- std::string incorrectId { "50551ff67da98ab8540d7132" }; -- -- ASSERT_TRUE(layer_store_exists(id.c_str())); -- ASSERT_FALSE(layer_store_exists(incorrectId.c_str())); --} -- - TEST_F(StorageLayersUnitTest, test_layer_store_create) - { - if (!support_overlay) { -@@ -337,24 +324,3 @@ TEST_F(StorageLayersUnitTest, test_layer_store_by_compress_digest) - - free_layer_list(layer_list); - } -- --TEST_F(StorageLayersUnitTest, test_layer_store_by_uncompress_digest) --{ -- if (!support_overlay) { -- return; -- } -- -- std::string uncompress { "sha256:9c27e219663c25e0f28493790cc0b88bc973ba3b1686355f221c38a36978ac63" }; -- std::string id { "9c27e219663c25e0f28493790cc0b88bc973ba3b1686355f221c38a36978ac63" }; -- struct layer_list *layer_list = (struct layer_list *)util_common_calloc_s(sizeof(struct layer_list)); -- -- ASSERT_EQ(layer_store_by_uncompress_digest(uncompress.c_str(), layer_list), 0); -- ASSERT_EQ(layer_list->layers_len, 1); -- -- struct layer **layers = layer_list->layers; -- ASSERT_STREQ(layers[0]->id, id.c_str()); -- ASSERT_STREQ(layers[0]->uncompressed_digest, uncompress.c_str()); -- ASSERT_EQ(layers[0]->uncompress_size, 1672256); -- -- free_layer_list(layer_list); --} -diff --git a/test/mocks/driver_overlay2_mock.cc b/test/mocks/driver_overlay2_mock.cc -index 6f24dbcf..6892539d 100644 ---- a/test/mocks/driver_overlay2_mock.cc -+++ b/test/mocks/driver_overlay2_mock.cc -@@ -39,11 +39,3 @@ int overlay2_parse_options(struct graphdriver *driver, const char **options, siz - } - return -1; - } -- --bool overlay2_is_quota_options(struct graphdriver *driver, const char *option) --{ -- if (g_driver_overlay2_mock != nullptr) { -- return g_driver_overlay2_mock->Overlay2IsQuotaOptions(driver, option); -- } -- return false; --} -diff --git a/test/mocks/driver_overlay2_mock.h b/test/mocks/driver_overlay2_mock.h -index 071e6287..f09b715a 100644 ---- a/test/mocks/driver_overlay2_mock.h -+++ b/test/mocks/driver_overlay2_mock.h -@@ -24,7 +24,6 @@ public: - virtual ~MockDriverOverlay2() = default; - MOCK_METHOD1(Overlay2Init, int(struct graphdriver *)); - MOCK_METHOD3(Overlay2ParseOptions, int(struct graphdriver *, const char **, size_t)); -- MOCK_METHOD2(Overlay2IsQuotaOptions, bool(struct graphdriver *, const char *)); - }; - - void MockDriverOverlay2_SetMock(MockDriverOverlay2* mock); --- -2.25.1 - diff --git a/0019-remove-password-in-url-module-and-clean-sensitive-in.patch b/0019-remove-password-in-url-module-and-clean-sensitive-in.patch deleted file mode 100644 index 70a84ce..0000000 --- a/0019-remove-password-in-url-module-and-clean-sensitive-in.patch +++ /dev/null @@ -1,332 +0,0 @@ -From 4adc923cfaf25142aa4cbb909d65c0f3a999cc02 Mon Sep 17 00:00:00 2001 -From: zhongtao -Date: Tue, 29 Aug 2023 11:41:26 +0800 -Subject: [PATCH 19/32] remove password in url module and clean sensitive info - in struct passwd - -Signed-off-by: zhongtao ---- - .../modules/image/image_rootfs_handler.c | 13 +- - src/utils/cpputils/url.cc | 144 +----------------- - src/utils/cpputils/url.h | 19 +-- - 3 files changed, 15 insertions(+), 161 deletions(-) - -diff --git a/src/daemon/modules/image/image_rootfs_handler.c b/src/daemon/modules/image/image_rootfs_handler.c -index 1a3f4307..a8036ab9 100644 ---- a/src/daemon/modules/image/image_rootfs_handler.c -+++ b/src/daemon/modules/image/image_rootfs_handler.c -@@ -85,6 +85,7 @@ static int proc_by_fpasswd(FILE *f_passwd, const char *user, defs_process_user * - char buf[BUFSIZ] = { 0 }; - struct passwd pw; - struct passwd *pwbufp = NULL; -+ int ret = -1; - - if (f_passwd != NULL) { - #if defined (__ANDROID__) || defined(__MUSL__) -@@ -116,7 +117,7 @@ static int proc_by_fpasswd(FILE *f_passwd, const char *user, defs_process_user * - if (errval != 0 && errval != ENOENT) { - ERROR("Failed to parse passwd file: Insufficient buffer space supplied"); - isulad_set_error_message("Failed to parse passwd file: Insufficient buffer space supplied"); -- return -1; -+ goto out; - } - if (!userfound && user != NULL) { - int uret = util_safe_llong(user, &n_user); -@@ -124,16 +125,20 @@ static int proc_by_fpasswd(FILE *f_passwd, const char *user, defs_process_user * - if (uret != 0) { - ERROR("Unable to find user '%s'", user); - isulad_set_error_message("Unable to find user '%s': no matching entries in passwd file", user); -- return -1; -+ goto out; - } - if (n_user < MINUID || n_user > MAXUID) { - uids_gids_range_err_log(); -- return -1; -+ goto out; - } - puser->uid = (uid_t)n_user; - } -+ ret = 0; - -- return 0; -+out: -+ memset(buf, 0, sizeof(buf)); -+ memset(pwbufp, 0, sizeof(struct passwd)); -+ return ret; - } - - static int append_additional_gids(gid_t gid, gid_t **additional_gids, size_t *len) -diff --git a/src/utils/cpputils/url.cc b/src/utils/cpputils/url.cc -index 117eba7e..baaded07 100644 ---- a/src/utils/cpputils/url.cc -+++ b/src/utils/cpputils/url.cc -@@ -266,12 +266,7 @@ std::string Escape(const std::string &s, const EncodeMode &mode) - - UserInfo *User(const std::string &username) noexcept - { -- return new UserInfo { username, "", false }; --} -- --UserInfo *UserPassword(const std::string &username, const std::string &password) noexcept --{ -- return new UserInfo { username, password, true }; -+ return new UserInfo { username }; - } - - int Getscheme(const std::string &rawurl, std::string &scheme, std::string &path) -@@ -324,24 +319,6 @@ void Split(const std::string &s, const std::string &c, bool cutc, std::string &t - u = s.substr(i, s.size()); - } - --URLDatum *Parse(const std::string &rawurl) --{ -- std::string u, frag; -- Split(rawurl, "#", true, u, frag); -- auto *url = Parse(u, false); -- if (url == nullptr) { -- return nullptr; -- } -- if (frag.empty()) { -- return url; -- } -- url->SetFragment(Unescape(frag, EncodeMode::ENCODE_FRAGMENT)); -- if (url->GetFragment().empty()) { -- return nullptr; -- } -- return url; --} -- - int SplitOffPossibleLeading(std::string &scheme, const std::string &rawurl, URLDatum *url, std::string &rest) - { - if (Getscheme(rawurl, scheme, rest) != 0) { -@@ -385,108 +362,6 @@ URLDatum *HandleNonBackslashPrefix(URLDatum *url, const std::string &scheme, con - return nullptr; - } - --int SetURLDatumInfo(URLDatum *url, const std::string &scheme, bool viaRequest, std::string &rest) --{ -- if ((!scheme.empty() || (!viaRequest && rest.substr(0, 3) == "///")) && rest.substr(0, 2) == "//") { -- std::string authority; -- Split(rest.substr(2, rest.size()), "/", false, authority, rest); -- std::string host = url->GetHost(); -- UserInfo *user = url->GetUser(); -- if (ParseAuthority(authority, &user, host)) { -- return -1; -- } -- url->SetHost(host); -- url->SetUser(user); -- } -- if (url->SetPath(rest)) { -- return -1; -- } -- url->SetScheme(scheme); -- return 0; --} -- --URLDatum *Parse(const std::string &rawurl, bool viaRequest) --{ -- if (rawurl.empty() && viaRequest) { -- ERROR("empty url!"); -- return nullptr; -- } -- auto *url = new (std::nothrow) URLDatum; -- if (url == nullptr) { -- ERROR("Out of memory"); -- return nullptr; -- } -- if (rawurl == "*") { -- url->SetPathWithoutEscape("*"); -- return url; -- } -- std::string scheme = url->GetScheme(); -- std::string rest; -- if (SplitOffPossibleLeading(scheme, rawurl, url, rest) != 0) { -- return nullptr; -- } -- bool shouldRet = false; -- auto *tmpret = HandleNonBackslashPrefix(url, scheme, rest, viaRequest, shouldRet); -- if (shouldRet) { -- return tmpret; -- } -- if (SetURLDatumInfo(url, scheme, viaRequest, rest) != 0) { -- return nullptr; -- } -- return url; --} -- --int ParseAuthority(const std::string &authority, UserInfo **user, std::string &host) --{ -- size_t i = authority.find("@"); -- if (i == std::string::npos) { -- if (ParseHost(authority, host) != 0) { -- *user = nullptr; -- host = ""; -- return -1; -- } -- } else { -- if (ParseHost(authority.substr(i + 1, authority.size()), host) != 0) { -- *user = nullptr; -- host = ""; -- return -1; -- } -- } -- if (i == std::string::npos) { -- *user = nullptr; -- return 0; -- } -- -- std::string userinfo = authority.substr(0, i); -- if (!ValidUserinfo(userinfo)) { -- *user = nullptr; -- host = ""; -- ERROR("net/url: invalid userinfo"); -- return -1; -- } -- if (userinfo.find(":") == std::string::npos) { -- userinfo = Unescape(userinfo, EncodeMode::ENCODE_USER_PASSWORD); -- if (userinfo.empty()) { -- *user = nullptr; -- host = ""; -- return -1; -- } -- *user = User(userinfo); -- } else { -- std::string servername, serverword; -- Split(userinfo, ":", true, servername, serverword); -- servername = Unescape(servername, EncodeMode::ENCODE_USER_PASSWORD); -- serverword = Unescape(serverword, EncodeMode::ENCODE_USER_PASSWORD); -- if (servername.empty() || serverword.empty()) { -- *user = nullptr; -- host = ""; -- return -1; -- } -- *user = UserPassword(servername, serverword); -- } -- return 0; --} -- - int ParseHost(std::string host, std::string &out) - { - if (host.at(0) == '[') { -@@ -756,9 +631,6 @@ std::string UserInfo::String() const - std::string s; - if (!m_username.empty()) { - s = Escape(m_username, EncodeMode::ENCODE_USER_PASSWORD); -- if (m_passwordSet) { -- s += ":" + Escape(m_password, EncodeMode::ENCODE_USER_PASSWORD); -- } - } - return s; - } -@@ -766,11 +638,6 @@ std::string UserInfo::Username() const - { - return m_username; - } --std::string UserInfo::Password(bool &set) const --{ -- set = m_passwordSet; -- return m_password; --} - - URLDatum::~URLDatum() - { -@@ -860,15 +727,6 @@ bool URLDatum::IsAbs() const - return (m_scheme != ""); - } - --std::unique_ptr URLDatum::UrlParse(const std::string &ref) --{ -- auto *refurl = Parse(ref); -- if (refurl == nullptr) { -- return nullptr; -- } -- return ResolveReference(refurl); --} -- - std::unique_ptr URLDatum::ResolveReference(URLDatum *ref) - { - std::unique_ptr url(new (std::nothrow) URLDatum(*ref)); -diff --git a/src/utils/cpputils/url.h b/src/utils/cpputils/url.h -index abbf20f4..3dd40079 100644 ---- a/src/utils/cpputils/url.h -+++ b/src/utils/cpputils/url.h -@@ -49,17 +49,13 @@ private: - - class UserInfo { - public: -- UserInfo(const std::string &u, const std::string &p, bool b) : m_username(u), m_password(p), -- m_passwordSet(b) {} -+ UserInfo(const std::string &u) : m_username(u) {} - ~UserInfo() = default; - std::string String() const; - std::string Username() const; -- std::string Password(bool &set) const; - - private: - std::string m_username; -- std::string m_password; -- bool m_passwordSet; - }; - - class URLDatum { -@@ -69,7 +65,6 @@ public: - std::string EscapedPath(); - std::string String(); - bool IsAbs() const; -- std::unique_ptr UrlParse(const std::string &ref); - std::unique_ptr ResolveReference(URLDatum *ref); - auto Query()->std::map>; - std::string RequestURI(); -@@ -88,7 +83,7 @@ public: - { - m_opaque = value; - } -- std::string GetOpaque() const -+ std::string GetOpaque() const - { - return m_opaque; - } -@@ -96,7 +91,7 @@ public: - { - m_user = value; - } -- UserInfo *GetUser() const -+ UserInfo *GetUser() const - { - return m_user; - } -@@ -128,7 +123,7 @@ public: - { - m_rawQuery = value; - } -- std::string GetRawQuery() const -+ std::string GetRawQuery() const - { - return m_rawQuery; - } -@@ -136,7 +131,7 @@ public: - { - m_fragment = value; - } -- std::string GetFragment() const -+ std::string GetFragment() const - { - return m_fragment; - } -@@ -163,13 +158,9 @@ std::string QueryUnescape(const std::string &s); - std::string Unescape(std::string s, const EncodeMode &mode); - std::string QueryEscape(const std::string &s); - std::string Escape(const std::string &s, const EncodeMode &mode); --UserInfo *UserPassword(const std::string &username, const std::string &password) noexcept; - UserInfo *User(const std::string &username) noexcept; - int Getscheme(const std::string &rawurl, std::string &scheme, std::string &path); - void Split(const std::string &s, const std::string &c, bool cutc, std::string &t, std::string &u); --URLDatum *Parse(const std::string &rawurl); --URLDatum *Parse(const std::string &rawurl, bool viaRequest); --int ParseAuthority(const std::string &authority, UserInfo **user, std::string &host); - int ParseHost(std::string host, std::string &out); - bool ValidEncodedPath(const std::string &s); - bool ValidOptionalPort(const std::string &port); --- -2.25.1 - diff --git a/0020-2153-fix-codecheck.patch b/0020-2153-fix-codecheck.patch deleted file mode 100644 index 1da123b..0000000 --- a/0020-2153-fix-codecheck.patch +++ /dev/null @@ -1,447 +0,0 @@ -From d9c60a7309f3616c1d9d0051ba338a8def37a538 Mon Sep 17 00:00:00 2001 -From: zhongtao -Date: Tue, 29 Aug 2023 09:38:53 +0000 -Subject: [PATCH 20/32] !2153 fix codecheck * fix codecheck - ---- - src/daemon/modules/image/embedded/load.c | 2 +- - src/daemon/modules/image/image.c | 4 +- - src/daemon/modules/image/oci/oci_login.h | 2 - - src/daemon/modules/image/oci/oci_logout.h | 2 - - .../oci/storage/image_store/image_store.c | 1 - - .../oci/storage/image_store/image_store.h | 2 - - .../graphdriver/devmapper/deviceset.c | 9 ++- - .../graphdriver/devmapper/deviceset.h | 5 +- - .../graphdriver/devmapper/driver_devmapper.h | 16 ++--- - .../graphdriver/devmapper/wrapper_devmapper.h | 2 - - .../storage/layer_store/graphdriver/driver.c | 2 +- - .../storage/layer_store/graphdriver/driver.h | 59 ++++++++----------- - .../graphdriver/overlay2/driver_overlay2.c | 3 - - .../graphdriver/overlay2/driver_overlay2.h | 8 +-- - .../graphdriver/quota/project_quota.h | 1 - - .../oci/storage/layer_store/layer_store.h | 4 -- - .../overlay_remote_impl.c | 1 - - .../remote_layer_support/remote_support.c | 2 +- - .../remote_layer_support/remote_support.h | 2 +- - .../oci/storage/rootfs_store/rootfs_store.h | 4 -- - 20 files changed, 46 insertions(+), 85 deletions(-) - -diff --git a/src/daemon/modules/image/embedded/load.c b/src/daemon/modules/image/embedded/load.c -index dc2aeba2..92ac42ad 100644 ---- a/src/daemon/modules/image/embedded/load.c -+++ b/src/daemon/modules/image/embedded/load.c -@@ -36,7 +36,7 @@ static char *replace_suffix_to_sgn(const char *file) - ERROR("invalid NULL param"); - return NULL; - } -- if (sizeof(".sgn") > SIZE_MAX - strlen(file)) { -+ if (strlen(file) > SIZE_MAX - sizeof(".sgn")) { - return NULL; - } - len = strlen(file) + sizeof(".sgn"); -diff --git a/src/daemon/modules/image/image.c b/src/daemon/modules/image/image.c -index 408ceea2..a14f2ac3 100644 ---- a/src/daemon/modules/image/image.c -+++ b/src/daemon/modules/image/image.c -@@ -784,7 +784,9 @@ int im_merge_image_config(const char *image_type, const char *image_name, contai - int ret = 0; - struct bim *bim = NULL; - -- if (container_spec == NULL || image_name == NULL || image_type == NULL) { -+ // there is no need to judge the image name as empty, -+ // because the image name of external type allows it to be empty. -+ if (container_spec == NULL || image_type == NULL) { - ERROR("Invalid input arguments"); - ret = -1; - goto out; -diff --git a/src/daemon/modules/image/oci/oci_login.h b/src/daemon/modules/image/oci/oci_login.h -index ab261ebd..acf6eeb6 100644 ---- a/src/daemon/modules/image/oci/oci_login.h -+++ b/src/daemon/modules/image/oci/oci_login.h -@@ -15,8 +15,6 @@ - #ifndef DAEMON_MODULES_IMAGE_OCI_OCI_LOGIN_H - #define DAEMON_MODULES_IMAGE_OCI_OCI_LOGIN_H - --#include -- - #ifdef __cplusplus - extern "C" { - #endif -diff --git a/src/daemon/modules/image/oci/oci_logout.h b/src/daemon/modules/image/oci/oci_logout.h -index 81f0196c..c0a9bb8b 100644 ---- a/src/daemon/modules/image/oci/oci_logout.h -+++ b/src/daemon/modules/image/oci/oci_logout.h -@@ -15,8 +15,6 @@ - #ifndef DAEMON_MODULES_IMAGE_OCI_OCI_LOGOUT_H - #define DAEMON_MODULES_IMAGE_OCI_OCI_LOGOUT_H - --#include -- - #ifdef __cplusplus - extern "C" { - #endif -diff --git a/src/daemon/modules/image/oci/storage/image_store/image_store.c b/src/daemon/modules/image/oci/storage/image_store/image_store.c -index b7e0f0cc..f49f4707 100644 ---- a/src/daemon/modules/image/oci/storage/image_store/image_store.c -+++ b/src/daemon/modules/image/oci/storage/image_store/image_store.c -@@ -2123,7 +2123,6 @@ static int pack_repo_digest(char ***old_repo_digests, const char **image_tags, c - } - - for (i = 0; i < util_array_len((const char **)*repo_digests); i++) { -- bool value = true; - if (!map_replace(digest_map, (void *)(*repo_digests)[i], &value)) { - ERROR("Failed to insert pair to digest map: %s", (*repo_digests)[i]); - ret = -1; -diff --git a/src/daemon/modules/image/oci/storage/image_store/image_store.h b/src/daemon/modules/image/oci/storage/image_store/image_store.h -index 019a2881..4544f84b 100644 ---- a/src/daemon/modules/image/oci/storage/image_store/image_store.h -+++ b/src/daemon/modules/image/oci/storage/image_store/image_store.h -@@ -29,8 +29,6 @@ - #include "isula_libutils/imagetool_images_list.h" - #include "isula_libutils/imagetool_image_summary.h" - --struct storage_module_init_options; -- - #ifdef __cplusplus - extern "C" { - #endif -diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c -index 79541e54..4652c71a 100644 ---- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c -+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.c -@@ -105,7 +105,6 @@ static int handle_dm_min_free_space(char *val, struct device_set *devset) - { - long converted = 0; - int ret = util_parse_percent_string(val, &converted); -- - if (ret != 0 || converted >= 100) { - errno = -ret; - SYSERROR("Invalid min free space: '%s'", val); -@@ -293,7 +292,8 @@ static char *deviceset_meta_file(const struct device_set *devset) - return file; - } - --// get_dm_name return value format:container-253:0-409697-401641a00390ccd2b21eb464f5eb5a7b735c3731b717e7bffafe65971f4cb498 -+// get_dm_name return value format: -+// container-253:0-409697-401641a00390ccd2b21eb464f5eb5a7b735c3731b717e7bffafe65971f4cb498 - static char *get_dm_name(const struct device_set *devset, const char *hash) - { - int nret = 0; -@@ -312,7 +312,8 @@ static char *get_dm_name(const struct device_set *devset, const char *hash) - return util_strdup_s(buff); - } - --// get_dev_name return value fromat:/dev/mapper/container-253:0-409697-401641a00390ccd2b21eb464f5eb5a7b735c3731b717e7bffafe65971f4cb498 -+// get_dev_name return value fromat: -+// /dev/mapper/container-253:0-409697-401641a00390ccd2b21eb464f5eb5a7b735c3731b717e7bffafe65971f4cb498 - static char *get_dev_name(const char *name) - { - return util_string_append(name, DEVMAPPER_DECICE_DIRECTORY); -@@ -2351,7 +2352,6 @@ static int setup_base_image(struct device_set *devset) - devmapper_device_info_t *device_info = NULL; - - device_info = lookup_device(devset, "base"); -- - // base image already exists. If it is initialized properly, do UUID - // verification and return. Otherwise remove image and set it up - // fresh. -@@ -2504,7 +2504,6 @@ static void cleanup_deleted_devices(struct graphdriver *driver) - goto unlock_driver; - } - -- - if (driver->devset->nr_deleted_devices == 0) { - DEBUG("devmapper: no devices to delete"); - goto unlock_devset; -diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.h b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.h -index ec985e40..d7f7d184 100644 ---- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.h -+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/deviceset.h -@@ -23,10 +23,7 @@ - - #include "driver.h" - #include "metadata_store.h" -- --struct device_set; --struct driver_mount_opts; --struct graphdriver; -+#include "devices_constants.h" - - #ifdef __cplusplus - extern "C" { -diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/driver_devmapper.h b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/driver_devmapper.h -index 9ee020de..dca2d614 100644 ---- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/driver_devmapper.h -+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/driver_devmapper.h -@@ -16,22 +16,18 @@ - #define DAEMON_MODULES_IMAGE_OCI_STORAGE_LAYER_STORE_GRAPHDRIVER_DEVMAPPER_DRIVER_DEVMAPPER_H - - #include --#include --#include - #include - #include - #include -+#include -+#include -+#include -+#include - - #include "driver.h" - #include "map.h" --#include "isula_libutils/image_devmapper_transaction.h" --#include "isula_libutils/image_devmapper_deviceset_metadata.h" -- --struct driver_create_opts; --struct driver_mount_opts; --struct graphdriver; --struct graphdriver_status; --struct io_read_wrapper; -+#include "image_api.h" -+#include "io_wrapper.h" - - #ifdef __cplusplus - extern "C" { -diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.h b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.h -index 01771a3b..4b2ae82b 100644 ---- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.h -+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/devmapper/wrapper_devmapper.h -@@ -24,8 +24,6 @@ - - #include "driver.h" - --struct dm_task; -- - #ifdef __cplusplus - extern "C" { - #endif -diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.c -index fc2857b6..fb549bae 100644 ---- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.c -+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.c -@@ -1,5 +1,5 @@ - /****************************************************************************** -- * Copyright (c) Huawei Technologies Co., Ltd. 2017-2019. All rights reserved. -+ * Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. - * iSulad licensed under the Mulan PSL v2. - * You can use this software according to the terms and conditions of the Mulan PSL v2. - * You may obtain a copy of Mulan PSL v2 at: -diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.h b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.h -index acd847cc..2fcfa12b 100644 ---- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.h -+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/driver.h -@@ -1,5 +1,5 @@ - /****************************************************************************** -- * Copyright (c) Huawei Technologies Co., Ltd. 2019. All rights reserved. -+ * Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. - * iSulad licensed under the Mulan PSL v2. - * You can use this software according to the terms and conditions of the Mulan PSL v2. - * You may obtain a copy of Mulan PSL v2 at: -@@ -20,25 +20,42 @@ - #include - #include - #include -+#include -+#include - --#include "isula_libutils/container_inspect.h" --#include "isula_libutils/json_common.h" - #include "io_wrapper.h" - #include "driver_overlay2_types.h" - #include "devices_constants.h" - #include "storage.h" - #include "image_api.h" --#include "isula_libutils/container_inspect.h" -- --struct graphdriver_status; --struct io_read_wrapper; --struct storage_module_init_options; - - #ifdef __cplusplus - extern "C" { - #endif - --struct graphdriver; -+struct graphdriver { -+ // common implement -+ const struct graphdriver_ops *ops; -+ const char *name; -+ const char *home; -+ char *backing_fs; -+ bool support_dtype; -+ -+ bool support_quota; -+#ifdef ENABLE_REMOTE_LAYER_STORE -+ bool enable_remote_layer; -+#endif -+ struct pquota_control *quota_ctrl; -+ -+ // options for overlay2 -+ struct overlay_options *overlay_opts; -+ -+ // options for device mapper -+ struct device_set *devset; -+ -+ // lock to protect graphdriver between cleanup and other operations -+ pthread_rwlock_t rwlock; -+}; - - struct driver_create_opts { - char *mount_label; -@@ -81,30 +98,6 @@ struct graphdriver_ops { - int (*get_layer_fs_info)(const char *id, const struct graphdriver *driver, imagetool_fs_info *fs_info); - }; - --struct graphdriver { -- // common implement -- const struct graphdriver_ops *ops; -- const char *name; -- const char *home; -- char *backing_fs; -- bool support_dtype; -- -- bool support_quota; --#ifdef ENABLE_REMOTE_LAYER_STORE -- bool enable_remote_layer; --#endif -- struct pquota_control *quota_ctrl; -- -- // options for overlay2 -- struct overlay_options *overlay_opts; -- -- // options for device mapper -- struct device_set *devset; -- -- // lock to protect graphdriver between cleanup and other operations -- pthread_rwlock_t rwlock; --}; -- - int graphdriver_init(const struct storage_module_init_options *opts); - - int graphdriver_create_rw(const char *id, const char *parent, struct driver_create_opts *create_opts); -diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c -index ced30b96..7517dd43 100644 ---- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c -+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.c -@@ -648,7 +648,6 @@ const static int check_lower_depth(const char *lowers_str) - - lowers_arr = util_string_split(lowers_str, ':'); - lowers_size = util_array_len((const char **)lowers_arr); -- - if (lowers_size > OVERLAY_LAYER_MAX_DEPTH) { - ERROR("Max depth exceeded %s", lowers_str); - ret = -1; -@@ -1274,7 +1273,6 @@ static int append_rel_empty_path(const char *id, char ***rel_lowers) - char *rel_path = NULL; - - rel_path = util_string_append("/empty", id); -- - if (util_array_append(rel_lowers, rel_path) != 0) { - SYSERROR("Can't append relative layer:%s", rel_path); - ret = -1; -@@ -2181,7 +2179,6 @@ int overlay2_repair_lowers(const char *id, const char *parent, const struct grap - lowers_str = read_layer_lower_file(layer_dir); - lowers_arr = util_string_split(lowers_str, ':'); - lowers_size = util_array_len((const char **)lowers_arr); -- - if (lowers_size != 0) { - if (check_lower_valid(driver->home, lowers_arr[0]) == 0) { - DEBUG("Try to repair layer %s, success check", id); -diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.h b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.h -index 438c508e..444c0670 100644 ---- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.h -+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/overlay2/driver_overlay2.h -@@ -22,12 +22,8 @@ - #include - - #include "driver.h" -- --struct driver_create_opts; --struct driver_mount_opts; --struct graphdriver; --struct graphdriver_status; --struct io_read_wrapper; -+#include "image_api.h" -+#include "io_wrapper.h" - - #ifdef __cplusplus - extern "C" { -diff --git a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/quota/project_quota.h b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/quota/project_quota.h -index 94230faa..6cda7456 100644 ---- a/src/daemon/modules/image/oci/storage/layer_store/graphdriver/quota/project_quota.h -+++ b/src/daemon/modules/image/oci/storage/layer_store/graphdriver/quota/project_quota.h -@@ -33,7 +33,6 @@ - #include - #include - #include --#include - #include - #include - #include -diff --git a/src/daemon/modules/image/oci/storage/layer_store/layer_store.h b/src/daemon/modules/image/oci/storage/layer_store/layer_store.h -index 20287119..eba406d4 100644 ---- a/src/daemon/modules/image/oci/storage/layer_store/layer_store.h -+++ b/src/daemon/modules/image/oci/storage/layer_store/layer_store.h -@@ -24,10 +24,6 @@ - #include "storage.h" - #include "io_wrapper.h" - --struct io_read_wrapper; --struct layer_list; --struct storage_module_init_options; -- - #ifdef __cplusplus - extern "C" { - #endif -diff --git a/src/daemon/modules/image/oci/storage/remote_layer_support/overlay_remote_impl.c b/src/daemon/modules/image/oci/storage/remote_layer_support/overlay_remote_impl.c -index 38d9b0ce..86e05ac2 100644 ---- a/src/daemon/modules/image/oci/storage/remote_layer_support/overlay_remote_impl.c -+++ b/src/daemon/modules/image/oci/storage/remote_layer_support/overlay_remote_impl.c -@@ -185,7 +185,6 @@ static int remove_one_remote_overlay_layer(struct remote_overlay_data *data, con - } - - link_id = (char *)map_search(overlay_id_link, (void *)overlay_id); -- - if (link_id == NULL) { - ERROR("Failed to find link id for overlay layer: %s", overlay_id); - ret = -1; -diff --git a/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.c b/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.c -index 5bf9869b..eb919321 100644 ---- a/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.c -+++ b/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.c -@@ -1,5 +1,5 @@ - /****************************************************************************** -- * Copyright (c) Huawei Technologies Co., Ltd. 2020-2020. All rights reserved. -+ * Copyright (c) Huawei Technologies Co., Ltd. 2023. All rights reserved. - * iSulad licensed under the Mulan PSL v2. - * You can use this software according to the terms and conditions of the Mulan PSL v2. - * You may obtain a copy of Mulan PSL v2 at: -diff --git a/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.h b/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.h -index 30e3ebb0..545cbe49 100644 ---- a/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.h -+++ b/src/daemon/modules/image/oci/storage/remote_layer_support/remote_support.h -@@ -1,5 +1,5 @@ - /****************************************************************************** -- * Copyright (c) Huawei Technologies Co., Ltd. 2020-2023. All rights reserved. -+ * Copyright (c) Huawei Technologies Co., Ltd. 2023. All rights reserved. - * iSulad licensed under the Mulan PSL v2. - * You can use this software according to the terms and conditions of the Mulan PSL v2. - * You may obtain a copy of Mulan PSL v2 at: -diff --git a/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.h b/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.h -index 63f3294b..d618c401 100644 ---- a/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.h -+++ b/src/daemon/modules/image/oci/storage/rootfs_store/rootfs_store.h -@@ -24,10 +24,6 @@ - #include "storage.h" - #include "rootfs.h" - --struct rootfs_list; --struct storage_module_init_options; --struct storage_rootfs_options; -- - #ifdef __cplusplus - extern "C" { - #endif --- -2.25.1 - diff --git a/0021-2157-bugfix-for-memset.patch b/0021-2157-bugfix-for-memset.patch deleted file mode 100644 index 644e841..0000000 --- a/0021-2157-bugfix-for-memset.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 14bc12be8e4219a78b877e60affd4f584ccab220 Mon Sep 17 00:00:00 2001 -From: zhongtao -Date: Tue, 29 Aug 2023 13:18:34 +0000 -Subject: [PATCH 21/32] !2157 bugfix for memset * bugfix for memset - ---- - src/daemon/modules/image/image_rootfs_handler.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/daemon/modules/image/image_rootfs_handler.c b/src/daemon/modules/image/image_rootfs_handler.c -index a8036ab9..ceea4f5b 100644 ---- a/src/daemon/modules/image/image_rootfs_handler.c -+++ b/src/daemon/modules/image/image_rootfs_handler.c -@@ -137,7 +137,7 @@ static int proc_by_fpasswd(FILE *f_passwd, const char *user, defs_process_user * - - out: - memset(buf, 0, sizeof(buf)); -- memset(pwbufp, 0, sizeof(struct passwd)); -+ memset(&pw, 0, sizeof(struct passwd)); - return ret; - } - --- -2.25.1 - diff --git a/0022-2159-use-macros-to-isolate-the-password-option-of-lo.patch b/0022-2159-use-macros-to-isolate-the-password-option-of-lo.patch deleted file mode 100644 index 2c3d826..0000000 --- a/0022-2159-use-macros-to-isolate-the-password-option-of-lo.patch +++ /dev/null @@ -1,223 +0,0 @@ -From 0c0bc7a873cb5377aa0d5587c28d711a09f00811 Mon Sep 17 00:00:00 2001 -From: zhongtao -Date: Wed, 30 Aug 2023 09:56:29 +0000 -Subject: [PATCH 22/32] !2159 use macros to isolate the password option of - login and the plugin module * use macros to isolate the password option of - login and the plugin module - ---- - cmake/options.cmake | 14 ++++++++++ - src/cmd/isula/images/login.h | 28 +++++++++++++------ - src/cmd/isulad/main.c | 2 ++ - .../executor/container_cb/execution_create.c | 2 ++ - src/daemon/modules/CMakeLists.txt | 13 +++++++-- - src/daemon/modules/api/CMakeLists.txt | 3 ++ - .../container/container_events_handler.c | 2 ++ - .../modules/service/service_container.c | 4 +++ - 8 files changed, 57 insertions(+), 11 deletions(-) - -diff --git a/cmake/options.cmake b/cmake/options.cmake -index 5fc5c221..e733fd1c 100644 ---- a/cmake/options.cmake -+++ b/cmake/options.cmake -@@ -138,6 +138,20 @@ if (ENABLE_NATIVE_NETWORK OR ENABLE_GRPC) - set(ENABLE_NETWORK 1) - endif() - -+option(ENABLE_PLUGIN "enable plugin module" OFF) -+if (ENABLE_PLUGIN STREQUAL "ON") -+ add_definitions(-DENABLE_PLUGIN=1) -+ set(ENABLE_PLUGIN 1) -+ message("${Green}-- Enable plugin module${ColourReset}") -+endif() -+ -+option(ENABLE_LOGIN_PASSWORD_OPTION "enable login password option" ON) -+if (ENABLE_LOGIN_PASSWORD_OPTION STREQUAL "ON") -+ add_definitions(-DENABLE_LOGIN_PASSWORD_OPTION=1) -+ set(ENABLE_LOGIN_PASSWORD_OPTION 1) -+ message("${Green}-- Enable login password option${ColourReset}") -+endif() -+ - option(EANBLE_IMAGE_LIBARAY "create libisulad_image.so" ON) - if (EANBLE_IMAGE_LIBARAY STREQUAL "ON") - add_definitions(-DEANBLE_IMAGE_LIBARAY) -diff --git a/src/cmd/isula/images/login.h b/src/cmd/isula/images/login.h -index 5f9a676c..38829cba 100644 ---- a/src/cmd/isula/images/login.h -+++ b/src/cmd/isula/images/login.h -@@ -24,16 +24,28 @@ - extern "C" { - #endif - -+#ifdef ENABLE_LOGIN_PASSWORD_OPTION - #define LOGIN_OPTIONS(cmdargs) \ -- { CMD_OPT_TYPE_STRING_DUP, false, "username", 'u', &(cmdargs).username, "Username", NULL }, \ -- { CMD_OPT_TYPE_STRING_DUP, false, "password", 'p', &(cmdargs).password, "Password", NULL }, \ -- { CMD_OPT_TYPE_BOOL, \ -- false, \ -- "password-stdin", \ -- 0, \ -- &(cmdargs).password_stdin, \ -- "Take the password from stdin", \ -+ { CMD_OPT_TYPE_STRING_DUP, false, "username", 'u', &(cmdargs).username, "Username", NULL }, \ -+ { CMD_OPT_TYPE_STRING_DUP, false, "password", 'p', &(cmdargs).password, "Password", NULL }, \ -+ { CMD_OPT_TYPE_BOOL, \ -+ false, \ -+ "password-stdin", \ -+ 0, \ -+ &(cmdargs).password_stdin, \ -+ "Take the password from stdin", \ - NULL }, -+#else -+#define LOGIN_OPTIONS(cmdargs) \ -+ { CMD_OPT_TYPE_STRING_DUP, false, "username", 'u', &(cmdargs).username, "Username", NULL }, \ -+ { CMD_OPT_TYPE_BOOL, \ -+ false, \ -+ "password-stdin", \ -+ 0, \ -+ &(cmdargs).password_stdin, \ -+ "Take the password from stdin", \ -+ NULL }, -+#endif - - extern const char g_cmd_login_desc[]; - extern const char g_cmd_login_usage[]; -diff --git a/src/cmd/isulad/main.c b/src/cmd/isulad/main.c -index 8369f9e2..4740f91a 100644 ---- a/src/cmd/isulad/main.c -+++ b/src/cmd/isulad/main.c -@@ -1685,10 +1685,12 @@ int main(int argc, char **argv) - goto failure; - } - -+#ifdef ENABLE_PLUGIN - if (start_plugin_manager()) { - ERROR("Failed to init plugin_manager"); - goto failure; - } -+#endif - - clock_gettime(CLOCK_MONOTONIC, &t_end); - use_time = (double)(t_end.tv_sec - t_start.tv_sec) * (double)1000000000 + (double)(t_end.tv_nsec - t_start.tv_nsec); -diff --git a/src/daemon/executor/container_cb/execution_create.c b/src/daemon/executor/container_cb/execution_create.c -index 9c097121..377aa1aa 100644 ---- a/src/daemon/executor/container_cb/execution_create.c -+++ b/src/daemon/executor/container_cb/execution_create.c -@@ -1499,6 +1499,7 @@ int container_create_cb(const container_create_request *request, container_creat - goto clean_netns; - } - -+#ifdef ENABLE_PLUGIN - /* modify oci_spec by plugin. */ - if (plugin_event_container_pre_create(id, oci_spec) != 0) { - ERROR("Plugin event pre create failed"); -@@ -1506,6 +1507,7 @@ int container_create_cb(const container_create_request *request, container_creat - cc = ISULAD_ERR_EXEC; - goto clean_netns; - } -+#endif - - host_channel = dup_host_channel(host_spec->host_channel); - if (prepare_host_channel(host_channel, host_spec->user_remap)) { -diff --git a/src/daemon/modules/CMakeLists.txt b/src/daemon/modules/CMakeLists.txt -index 5d13412b..a70c094f 100644 ---- a/src/daemon/modules/CMakeLists.txt -+++ b/src/daemon/modules/CMakeLists.txt -@@ -3,7 +3,6 @@ - aux_source_directory(${CMAKE_CURRENT_SOURCE_DIR} modules_top_srcs) - add_subdirectory(runtime) - add_subdirectory(image) --add_subdirectory(plugin) - add_subdirectory(spec) - add_subdirectory(container) - add_subdirectory(log) -@@ -17,7 +16,6 @@ set(local_modules_srcs - ${modules_top_srcs} - ${RUNTIME_SRCS} - ${IMAGE_SRCS} -- ${PLUGIN_SRCS} - ${SPEC_SRCS} - ${MANAGER_SRCS} - ${LOG_GATHER_SRCS} -@@ -31,7 +29,6 @@ set(local_modules_incs - ${CMAKE_CURRENT_SOURCE_DIR} - ${RUNTIME_INCS} - ${IMAGE_INCS} -- ${PLUGIN_INCS} - ${SPEC_INCS} - ${MANAGER_INCS} - ${LOG_GATHER_INCS} -@@ -42,6 +39,16 @@ set(local_modules_incs - ${VOLUME_INCS} - ) - -+if (ENABLE_PLUGIN) -+ add_subdirectory(plugin) -+ list(APPEND local_modules_srcs -+ ${PLUGIN_SRCS} -+ ) -+ list(APPEND local_modules_incs -+ ${PLUGIN_INCS} -+ ) -+endif() -+ - set(MODULES_SRCS - ${local_modules_srcs} - PARENT_SCOPE -diff --git a/src/daemon/modules/api/CMakeLists.txt b/src/daemon/modules/api/CMakeLists.txt -index f577c45f..0735b25a 100644 ---- a/src/daemon/modules/api/CMakeLists.txt -+++ b/src/daemon/modules/api/CMakeLists.txt -@@ -9,3 +9,6 @@ set(MODULES_API_INCS - PARENT_SCOPE - ) - -+if (NOT ENABLE_PLUGIN) -+ list(REMOVE_ITEM MODULES_API_INCS "${CMAKE_CURRENT_SOURCE_DIR}/plugin_api.h") -+endif() -diff --git a/src/daemon/modules/container/container_events_handler.c b/src/daemon/modules/container/container_events_handler.c -index d78e6fc1..d56c2ee0 100644 ---- a/src/daemon/modules/container/container_events_handler.c -+++ b/src/daemon/modules/container/container_events_handler.c -@@ -155,7 +155,9 @@ static int container_state_changed(container_t *cont, const struct isulad_events - } else { - container_state_set_stopped(cont->state, (int)events->exit_status); - container_wait_stop_cond_broadcast(cont); -+#ifdef ENABLE_PLUGIN - plugin_event_container_post_stop(cont); -+#endif - } - - auto_remove = !should_restart && cont->hostconfig != NULL && cont->hostconfig->auto_remove; -diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c -index 1fa2559d..2d393f62 100644 ---- a/src/daemon/modules/service/service_container.c -+++ b/src/daemon/modules/service/service_container.c -@@ -807,12 +807,14 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo - open_stdin = cont->common_config->config->open_stdin; - } - -+#ifdef ENABLE_PLUGIN - if (plugin_event_container_pre_start(cont)) { - ERROR("Plugin event pre start failed "); - plugin_event_container_post_stop(cont); /* ignore error */ - ret = -1; - goto close_exit_fd; - } -+#endif - - #ifdef ENABLE_CRI_API_V1 - if (cont->common_config->sandbox_info != NULL && -@@ -1370,7 +1372,9 @@ int delete_container(container_t *cont, bool force) - } - } - -+#ifdef ENABLE_PLUGIN - plugin_event_container_post_remove(cont); -+#endif - - ret = do_delete_container(cont); - if (ret != 0) { --- -2.25.1 - diff --git a/0023-2161-bugfix-for-api-cmakelist.patch b/0023-2161-bugfix-for-api-cmakelist.patch deleted file mode 100644 index 94c5b6e..0000000 --- a/0023-2161-bugfix-for-api-cmakelist.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 6b02ac8055379fa0b907f5ed10c5bd974cade90f Mon Sep 17 00:00:00 2001 -From: zhongtao -Date: Thu, 31 Aug 2023 01:55:41 +0000 -Subject: [PATCH 23/32] !2161 bugfix for api cmakelist * bugfix for api - cmakelist - ---- - src/daemon/modules/api/CMakeLists.txt | 4 ---- - 1 file changed, 4 deletions(-) - -diff --git a/src/daemon/modules/api/CMakeLists.txt b/src/daemon/modules/api/CMakeLists.txt -index 0735b25a..357566fa 100644 ---- a/src/daemon/modules/api/CMakeLists.txt -+++ b/src/daemon/modules/api/CMakeLists.txt -@@ -8,7 +8,3 @@ set(MODULES_API_INCS - ${CMAKE_CURRENT_SOURCE_DIR} - PARENT_SCOPE - ) -- --if (NOT ENABLE_PLUGIN) -- list(REMOVE_ITEM MODULES_API_INCS "${CMAKE_CURRENT_SOURCE_DIR}/plugin_api.h") --endif() --- -2.25.1 - diff --git a/0024-2165-preventing-the-use-of-insecure-isulad-tmpdir-di.patch b/0024-2165-preventing-the-use-of-insecure-isulad-tmpdir-di.patch deleted file mode 100644 index eee611a..0000000 --- a/0024-2165-preventing-the-use-of-insecure-isulad-tmpdir-di.patch +++ /dev/null @@ -1,140 +0,0 @@ -From 64f94112728f35ee76d56fa4cf6dc41bd5cd5d33 Mon Sep 17 00:00:00 2001 -From: zhongtao -Date: Sat, 2 Sep 2023 08:56:38 +0000 -Subject: [PATCH 24/32] !2165 preventing the use of insecure isulad tmpdir - directory * preventing the use of insecure isulad tmpdir directory - ---- - src/common/constants.h | 2 + - .../container/leftover_cleanup/cleanup.c | 66 ++++++++++++++++++- - src/daemon/modules/image/oci/utils_images.c | 10 +++ - 3 files changed, 77 insertions(+), 1 deletion(-) - -diff --git a/src/common/constants.h b/src/common/constants.h -index d93bb464..c0417263 100644 ---- a/src/common/constants.h -+++ b/src/common/constants.h -@@ -50,6 +50,8 @@ extern "C" { - - #define TEMP_DIRECTORY_MODE 0700 - -+#define ISULAD_TEMP_DIRECTORY_MODE 0660 -+ - #define CONSOLE_FIFO_DIRECTORY_MODE 0770 - - #define SOCKET_GROUP_DIRECTORY_MODE 0660 -diff --git a/src/daemon/modules/container/leftover_cleanup/cleanup.c b/src/daemon/modules/container/leftover_cleanup/cleanup.c -index 9a38ffc2..f24ec467 100644 ---- a/src/daemon/modules/container/leftover_cleanup/cleanup.c -+++ b/src/daemon/modules/container/leftover_cleanup/cleanup.c -@@ -13,6 +13,8 @@ - * Description: provide cleanup functions - *********************************************************************************/ - #include -+#include -+#include - - #include "utils.h" - #include "utils_fs.h" -@@ -169,6 +171,67 @@ static bool walk_isulad_tmpdir_cb(const char *path_name, const struct dirent *su - return true; - } - -+static int isulad_tmpdir_security_check(const char *tmpdir) -+{ -+ struct stat st = { 0 }; -+ -+ if (lstat(tmpdir, &st) != 0) { -+ SYSERROR("Failed to lstat %s", tmpdir); -+ return -1; -+ } -+ -+ if (!S_ISDIR(st.st_mode)) { -+ return -1; -+ } -+ -+ if ((st.st_mode & 0777) != ISULAD_TEMP_DIRECTORY_MODE) { -+ return -1; -+ } -+ -+ if (st.st_uid != 0) { -+ return -1; -+ } -+ -+ if (S_ISLNK(st.st_mode)) { -+ return -1; -+ } -+ -+ return 0; -+} -+ -+static int recreate_tmpdir(const char *tmpdir) -+{ -+ int ret; -+ struct stat st = { 0 }; -+ -+ if (util_recursive_rmdir(tmpdir, 0)) { -+ ERROR("Failed to remove directory %s", tmpdir); -+ return -1; -+ } -+ -+ if (util_mkdir_p(tmpdir, ISULAD_TEMP_DIRECTORY_MODE)) { -+ ERROR("Failed to create directory %s", tmpdir); -+ return -1; -+ } -+ -+ if (lstat(tmpdir, &st) != 0) { -+ SYSERROR("Failed to lstat %s", tmpdir); -+ return -1; -+ } -+ -+ return ret; -+} -+ -+static int ensure_isulad_tmpdir_security(const char *tmpdir) -+{ -+ if (isulad_tmpdir_security_check(tmpdir) == 0) { -+ return 0; -+ } -+ -+ INFO("iSulad tmpdir does not meet security requirements, recreate it"); -+ return recreate_tmpdir(tmpdir); -+} -+ - static void cleanup_path(char *dir) - { - int nret; -@@ -186,7 +249,8 @@ static void cleanup_path(char *dir) - return; - } - -- if (!util_dir_exists(cleanpath)) { -+ // preventing the use of insecure isulad tmpdir directory -+ if (ensure_isulad_tmpdir_security(cleanpath) != 0) { - return; - } - -diff --git a/src/daemon/modules/image/oci/utils_images.c b/src/daemon/modules/image/oci/utils_images.c -index f8fd1e73..4342db5b 100644 ---- a/src/daemon/modules/image/oci/utils_images.c -+++ b/src/daemon/modules/image/oci/utils_images.c -@@ -630,6 +630,16 @@ int makesure_isulad_tmpdir_perm_right(const char *root_dir) - goto out; - } - -+ if ((st.st_mode & 0777) != TEMP_DIRECTORY_MODE) { -+ ret = -1; -+ goto out; -+ } -+ -+ if (S_ISLNK(st.st_mode)) { -+ ret = -1; -+ goto out; -+ } -+ - // chown to root - ret = lchown(isulad_tmpdir, 0, 0); - if (ret == 0 || (ret == EPERM && st.st_uid == 0 && st.st_gid == 0)) { --- -2.25.1 - diff --git a/0025-2166-move-ensure_isulad_tmpdir_security-function-to-.patch b/0025-2166-move-ensure_isulad_tmpdir_security-function-to-.patch deleted file mode 100644 index 52d66b2..0000000 --- a/0025-2166-move-ensure_isulad_tmpdir_security-function-to-.patch +++ /dev/null @@ -1,238 +0,0 @@ -From c2af7f7d7f6b0f1aaa884204a037e8275092121a Mon Sep 17 00:00:00 2001 -From: zhongtao -Date: Sat, 2 Sep 2023 10:38:29 +0000 -Subject: [PATCH 25/32] !2166 move ensure_isulad_tmpdir_security function to - main.c * move ensure_isulad_tmpdir_security function to main.c - ---- - src/cmd/isulad/main.c | 101 ++++++++++++++++++ - .../container/leftover_cleanup/cleanup.c | 66 +----------- - src/utils/tar/util_archive.c | 2 +- - 3 files changed, 103 insertions(+), 66 deletions(-) - -diff --git a/src/cmd/isulad/main.c b/src/cmd/isulad/main.c -index 4740f91a..e32fed6a 100644 ---- a/src/cmd/isulad/main.c -+++ b/src/cmd/isulad/main.c -@@ -1222,6 +1222,101 @@ out: - return ret; - } - -+static int isulad_tmpdir_security_check(const char *tmp_dir) -+{ -+ struct stat st = { 0 }; -+ -+ if (lstat(tmp_dir, &st) != 0) { -+ SYSERROR("Failed to lstat %s", tmp_dir); -+ return -1; -+ } -+ -+ if (!S_ISDIR(st.st_mode)) { -+ return -1; -+ } -+ -+ if ((st.st_mode & 0777) != ISULAD_TEMP_DIRECTORY_MODE) { -+ return -1; -+ } -+ -+ if (st.st_uid != 0) { -+ return -1; -+ } -+ -+ if (S_ISLNK(st.st_mode)) { -+ return -1; -+ } -+ -+ return 0; -+} -+ -+static int recreate_tmpdir(const char *tmp_dir) -+{ -+ if (util_recursive_rmdir(tmp_dir, 0) != 0) { -+ ERROR("Failed to remove directory %s", tmp_dir); -+ return -1; -+ } -+ -+ if (util_mkdir_p(tmp_dir, ISULAD_TEMP_DIRECTORY_MODE) != 0) { -+ ERROR("Failed to create directory %s", tmp_dir); -+ return -1; -+ } -+ -+ return 0; -+} -+ -+static int do_ensure_isulad_tmpdir_security(const char *isulad_tmp_dir) -+{ -+ int nret; -+ char tmp_dir[PATH_MAX] = { 0 }; -+ char cleanpath[PATH_MAX] = { 0 }; -+ -+ nret = snprintf(tmp_dir, PATH_MAX, "%s/isulad_tmpdir", isulad_tmp_dir); -+ if (nret < 0 || (size_t)nret >= PATH_MAX) { -+ ERROR("Failed to snprintf"); -+ return -1; -+ } -+ -+ if (util_clean_path(tmp_dir, cleanpath, sizeof(cleanpath)) == NULL) { -+ ERROR("Failed to clean path for %s", tmp_dir); -+ return -1; -+ } -+ -+ if (isulad_tmpdir_security_check(cleanpath) == 0) { -+ return 0; -+ } -+ -+ INFO("iSulad tmpdir: %s does not meet security requirements, recreate it", isulad_tmp_dir); -+ return recreate_tmpdir(cleanpath); -+} -+ -+static int ensure_isulad_tmpdir_security() -+{ -+ char *isulad_tmp_dir = NULL; -+ -+ isulad_tmp_dir = getenv("ISULAD_TMPDIR"); -+ if (!util_valid_str(isulad_tmp_dir)) { -+ isulad_tmp_dir = "/tmp"; -+ } -+ -+ if (do_ensure_isulad_tmpdir_security(isulad_tmp_dir) != 0) { -+ ERROR("Failed to ensure the %s directory is a safe directory", isulad_tmp_dir); -+ return -1; -+ } -+ -+ if (strcmp(isulad_tmp_dir, "/tmp") == 0) { -+ return 0; -+ } -+ -+ // No matter whether ISULAD_TMPDIR is set or not, -+ // ensure the "/tmp" directory is a safe directory -+ if (do_ensure_isulad_tmpdir_security("/tmp") != 0) { -+ WARN("Failed to ensure the /tmp directory is a safe directory"); -+ } -+ -+ return 0; -+} -+ - static int isulad_server_init_common() - { - int ret = -1; -@@ -1261,6 +1356,12 @@ static int isulad_server_init_common() - goto out; - } - -+ // preventing the use of insecure isulad tmpdir directory -+ if (ensure_isulad_tmpdir_security() != 0) { -+ ERROR("Failed to ensure isulad tmpdir security"); -+ goto out; -+ } -+ - if (volume_init(args->json_confs->graph) != 0) { - ERROR("Failed to init volume"); - goto out; -diff --git a/src/daemon/modules/container/leftover_cleanup/cleanup.c b/src/daemon/modules/container/leftover_cleanup/cleanup.c -index f24ec467..9a38ffc2 100644 ---- a/src/daemon/modules/container/leftover_cleanup/cleanup.c -+++ b/src/daemon/modules/container/leftover_cleanup/cleanup.c -@@ -13,8 +13,6 @@ - * Description: provide cleanup functions - *********************************************************************************/ - #include --#include --#include - - #include "utils.h" - #include "utils_fs.h" -@@ -171,67 +169,6 @@ static bool walk_isulad_tmpdir_cb(const char *path_name, const struct dirent *su - return true; - } - --static int isulad_tmpdir_security_check(const char *tmpdir) --{ -- struct stat st = { 0 }; -- -- if (lstat(tmpdir, &st) != 0) { -- SYSERROR("Failed to lstat %s", tmpdir); -- return -1; -- } -- -- if (!S_ISDIR(st.st_mode)) { -- return -1; -- } -- -- if ((st.st_mode & 0777) != ISULAD_TEMP_DIRECTORY_MODE) { -- return -1; -- } -- -- if (st.st_uid != 0) { -- return -1; -- } -- -- if (S_ISLNK(st.st_mode)) { -- return -1; -- } -- -- return 0; --} -- --static int recreate_tmpdir(const char *tmpdir) --{ -- int ret; -- struct stat st = { 0 }; -- -- if (util_recursive_rmdir(tmpdir, 0)) { -- ERROR("Failed to remove directory %s", tmpdir); -- return -1; -- } -- -- if (util_mkdir_p(tmpdir, ISULAD_TEMP_DIRECTORY_MODE)) { -- ERROR("Failed to create directory %s", tmpdir); -- return -1; -- } -- -- if (lstat(tmpdir, &st) != 0) { -- SYSERROR("Failed to lstat %s", tmpdir); -- return -1; -- } -- -- return ret; --} -- --static int ensure_isulad_tmpdir_security(const char *tmpdir) --{ -- if (isulad_tmpdir_security_check(tmpdir) == 0) { -- return 0; -- } -- -- INFO("iSulad tmpdir does not meet security requirements, recreate it"); -- return recreate_tmpdir(tmpdir); --} -- - static void cleanup_path(char *dir) - { - int nret; -@@ -249,8 +186,7 @@ static void cleanup_path(char *dir) - return; - } - -- // preventing the use of insecure isulad tmpdir directory -- if (ensure_isulad_tmpdir_security(cleanpath) != 0) { -+ if (!util_dir_exists(cleanpath)) { - return; - } - -diff --git a/src/utils/tar/util_archive.c b/src/utils/tar/util_archive.c -index 82194654..82e940a5 100644 ---- a/src/utils/tar/util_archive.c -+++ b/src/utils/tar/util_archive.c -@@ -220,7 +220,7 @@ static int make_safedir_is_noexec(const char *flock_path, const char *dstdir, ch - } - - // ensure parent dir is exist -- if (util_mkdir_p(cleanpath, buf.st_mode) != 0) { -+ if (util_mkdir_p(cleanpath, ISULAD_TEMP_DIRECTORY_MODE) != 0) { - return -1; - } - --- -2.25.1 - diff --git a/0026-2169-using-macros-to-isolate-isulad-s-enable_plugin-.patch b/0026-2169-using-macros-to-isolate-isulad-s-enable_plugin-.patch deleted file mode 100644 index 0043b81..0000000 --- a/0026-2169-using-macros-to-isolate-isulad-s-enable_plugin-.patch +++ /dev/null @@ -1,110 +0,0 @@ -From 4e6473570e3a5cd59585818216218a7a512790a5 Mon Sep 17 00:00:00 2001 -From: zhongtao -Date: Mon, 4 Sep 2023 08:45:55 +0000 -Subject: [PATCH 26/32] !2169 using macros to isolate isulad's enable_plugin - configuration option * using macros to isolate isulad's enable_plugin - configuration option - ---- - src/cmd/isulad/isulad_commands.h | 15 +++++++++++---- - src/common/constants.h | 2 ++ - src/daemon/config/isulad_config.c | 4 ++++ - src/daemon/config/isulad_config.h | 2 ++ - 4 files changed, 19 insertions(+), 4 deletions(-) - -diff --git a/src/cmd/isulad/isulad_commands.h b/src/cmd/isulad/isulad_commands.h -index 6a8220cc..05d3551c 100644 ---- a/src/cmd/isulad/isulad_commands.h -+++ b/src/cmd/isulad/isulad_commands.h -@@ -78,6 +78,16 @@ int command_default_ulimit_append(command_option_t *option, const char *arg); - #define USERNS_REMAP_OPT(cmdargs) - #endif - -+#ifdef ENABLE_PLUGIN -+#define PLUGINS_OPT(cmdargs) \ -+ { CMD_OPT_TYPE_STRING_DUP, \ -+ false, "enable-plugins", 0, &(cmdargs)->json_confs->enable_plugins, \ -+ "Enable plugins for all containers", NULL \ -+ }, -+#else -+#define PLUGINS_OPT(cmdargs) -+#endif -+ - #ifdef ENABLE_GRPC_REMOTE_CONNECT - #define ISULAD_TLS_OPTIONS(cmdargs) \ - { CMD_OPT_TYPE_STRING_DUP, \ -@@ -326,10 +336,7 @@ int command_default_ulimit_append(command_option_t *option, const char *arg); - false, "cpu-rt-runtime", 0, &(cmdargs)->json_confs->cpu_rt_runtime, \ - "Limit CPU real-time runtime in microseconds for all containers", command_convert_llong \ - }, \ -- { CMD_OPT_TYPE_STRING_DUP, \ -- false, "enable-plugins", 0, &(cmdargs)->json_confs->enable_plugins, \ -- "Enable plugins for all containers", NULL \ -- }, \ -+ PLUGINS_OPT(cmdargs) \ - { CMD_OPT_TYPE_CALLBACK, \ - false, "cri-runtime", 0, (cmdargs), \ - "CRI runtime class transform", server_callback_cri_runtime \ -diff --git a/src/common/constants.h b/src/common/constants.h -index c0417263..f98fb930 100644 ---- a/src/common/constants.h -+++ b/src/common/constants.h -@@ -134,9 +134,11 @@ extern "C" { - - #define AUTH_PLUGIN "authz-broker" - -+#ifdef ENABLE_PLUGIN - #define ISULAD_ENABLE_PLUGINS "ISULAD_ENABLE_PLUGINS" - #define ISULAD_ENABLE_PLUGINS_SEPERATOR "," - #define ISULAD_ENABLE_PLUGINS_SEPERATOR_CHAR ',' -+#endif - - #ifdef ENABLE_NETWORK - #define ISULAD_CNI_NETWORK_CONF_FILE_PRE "isulacni-" -diff --git a/src/daemon/config/isulad_config.c b/src/daemon/config/isulad_config.c -index f600f0cf..72722c30 100644 ---- a/src/daemon/config/isulad_config.c -+++ b/src/daemon/config/isulad_config.c -@@ -1253,6 +1253,7 @@ out: - return result; - } - -+#ifdef ENABLE_PLUGIN - char *conf_get_enable_plugins(void) - { - struct service_arguments *conf = NULL; -@@ -1274,6 +1275,7 @@ out: - (void)isulad_server_conf_unlock(); - return plugins; - } -+#endif - - #ifdef ENABLE_USERNS_REMAP - char *conf_get_isulad_userns_remap(void) -@@ -1739,7 +1741,9 @@ int merge_json_confs_into_global(struct service_arguments *args) - override_string_value(&args->json_confs->pidfile, &tmp_json_confs->pidfile); - // iSulad runtime execution options - override_string_value(&args->json_confs->hook_spec, &tmp_json_confs->hook_spec); -+#ifdef ENABLE_PLUGIN - override_string_value(&args->json_confs->enable_plugins, &tmp_json_confs->enable_plugins); -+#endif - #ifdef ENABLE_USERNS_REMAP - override_string_value(&args->json_confs->userns_remap, &tmp_json_confs->userns_remap); - #endif -diff --git a/src/daemon/config/isulad_config.h b/src/daemon/config/isulad_config.h -index 4fe1acdc..459ea331 100644 ---- a/src/daemon/config/isulad_config.h -+++ b/src/daemon/config/isulad_config.h -@@ -60,7 +60,9 @@ int conf_get_container_log_opts(isulad_daemon_configs_container_log **opts); - - char *conf_get_isulad_log_file(void); - char *conf_get_engine_log_file(void); -+#ifdef ENABLE_PLUGIN - char *conf_get_enable_plugins(void); -+#endif - #ifdef ENABLE_USERNS_REMAP - char *conf_get_isulad_userns_remap(void); - #endif --- -2.25.1 - diff --git a/0027-2178-clean-path-for-fpath-and-verify-chain-id.patch b/0027-2178-clean-path-for-fpath-and-verify-chain-id.patch deleted file mode 100644 index 5f3bd8c..0000000 --- a/0027-2178-clean-path-for-fpath-and-verify-chain-id.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 6dcde807f5bba8ff1aa7d049856f3eddd4b0586f Mon Sep 17 00:00:00 2001 -From: zhongtao -Date: Sat, 9 Sep 2023 06:48:39 +0000 -Subject: [PATCH 27/32] !2178 clean path for fpath and verify chain id Merge - pull request !2178 from zhongtao/image - ---- - src/daemon/modules/image/oci/oci_load.c | 30 +++++++++++++++++-- - .../modules/image/oci/registry/registry.c | 2 +- - 2 files changed, 28 insertions(+), 4 deletions(-) - -diff --git a/src/daemon/modules/image/oci/oci_load.c b/src/daemon/modules/image/oci/oci_load.c -index 569c5346..fd707330 100644 ---- a/src/daemon/modules/image/oci/oci_load.c -+++ b/src/daemon/modules/image/oci/oci_load.c -@@ -27,8 +27,10 @@ - #include - #include - #include -+#include - - #include "utils.h" -+#include "path.h" - #include "isula_libutils/log.h" - #include "util_archive.h" - #include "storage.h" -@@ -717,6 +719,9 @@ static int oci_load_set_layers_info(load_image_t *im, const image_manifest_items - } - - for (; i < conf->rootfs->diff_ids_len; i++) { -+ char *fpath = NULL; -+ char cleanpath[PATH_MAX] = { 0 }; -+ - im->layers[i] = util_common_calloc_s(sizeof(load_layer_blob_t)); - if (im->layers[i] == NULL) { - ERROR("Out of memory"); -@@ -724,12 +729,31 @@ static int oci_load_set_layers_info(load_image_t *im, const image_manifest_items - goto out; - } - -- im->layers[i]->fpath = util_path_join(dstdir, manifest->layers[i]); -- if (im->layers[i]->fpath == NULL) { -- ERROR("Path join failed"); -+ fpath = util_path_join(dstdir, manifest->layers[i]); -+ if (fpath == NULL) { -+ ERROR("Failed to join path"); -+ ret = -1; -+ goto out; -+ } -+ -+ if (util_clean_path(fpath, cleanpath, sizeof(cleanpath)) == NULL) { -+ ERROR("Failed to clean path for %s", fpath); -+ free(fpath); -+ ret = -1; -+ goto out; -+ } -+ -+ free(fpath); -+ -+ // verify whether the prefix of the path is dstdir to prevent illegal directories -+ if (strncmp(cleanpath, dstdir, strlen(dstdir)) != 0) { -+ ERROR("Illegal directory: %s", cleanpath); - ret = -1; - goto out; - } -+ -+ im->layers[i]->fpath = util_strdup_s(cleanpath); -+ - // The format is sha256:xxx - im->layers[i]->chain_id = oci_load_calc_chain_id(parent_chain_id_sha256, conf->rootfs->diff_ids[i]); - if (im->layers[i]->chain_id == NULL) { -diff --git a/src/daemon/modules/image/oci/registry/registry.c b/src/daemon/modules/image/oci/registry/registry.c -index e0b46e2e..35753c79 100644 ---- a/src/daemon/modules/image/oci/registry/registry.c -+++ b/src/daemon/modules/image/oci/registry/registry.c -@@ -600,7 +600,7 @@ static int register_layer(pull_descriptor *desc, size_t i) - return 0; - } - -- id = util_without_sha256_prefix(desc->layers[i].chain_id); -+ id = oci_image_id_from_digest(desc->layers[i].chain_id); - if (id == NULL) { - ERROR("layer %zu have NULL digest for image %s", i, desc->image_name); - return -1; --- -2.25.1 - diff --git a/0028-2179-modify-the-permissions-of-tmpdir-and-file-lock-.patch b/0028-2179-modify-the-permissions-of-tmpdir-and-file-lock-.patch deleted file mode 100644 index 8410732..0000000 --- a/0028-2179-modify-the-permissions-of-tmpdir-and-file-lock-.patch +++ /dev/null @@ -1,35 +0,0 @@ -From a291302fe12e21207c30ebffebf852cb37aface4 Mon Sep 17 00:00:00 2001 -From: zhongtao -Date: Sat, 9 Sep 2023 08:11:06 +0000 -Subject: [PATCH 28/32] !2179 modify the permissions of tmpdir and file lock to - 600 Merge pull request !2179 from zhongtao/mode - ---- - src/common/constants.h | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/common/constants.h b/src/common/constants.h -index f98fb930..caf9b793 100644 ---- a/src/common/constants.h -+++ b/src/common/constants.h -@@ -50,7 +50,7 @@ extern "C" { - - #define TEMP_DIRECTORY_MODE 0700 - --#define ISULAD_TEMP_DIRECTORY_MODE 0660 -+#define ISULAD_TEMP_DIRECTORY_MODE 0600 - - #define CONSOLE_FIFO_DIRECTORY_MODE 0770 - -@@ -70,7 +70,7 @@ extern "C" { - - #define DEFAULT_HIGHEST_DIRECTORY_MODE 0755 - --#define MOUNT_FLOCK_FILE_MODE 0660 -+#define MOUNT_FLOCK_FILE_MODE 0600 - - #define ISULAD_CONFIG SYSCONFDIR_PREFIX"/etc/isulad" - --- -2.25.1 - diff --git a/0029-image-ensure-id-of-loaded-and-pulled-image-is-valid.patch b/0029-image-ensure-id-of-loaded-and-pulled-image-is-valid.patch deleted file mode 100644 index c8954ed..0000000 --- a/0029-image-ensure-id-of-loaded-and-pulled-image-is-valid.patch +++ /dev/null @@ -1,202 +0,0 @@ -From 460c943125d9eca7cb4259d42c6c008a709e9dbe Mon Sep 17 00:00:00 2001 -From: haozi007 -Date: Wed, 23 Aug 2023 15:42:42 +0800 -Subject: [PATCH 29/32] [image] ensure id of loaded and pulled image is valid - -Signed-off-by: haozi007 ---- - src/daemon/modules/image/oci/oci_import.c | 14 ++++++++++--- - src/daemon/modules/image/oci/oci_load.c | 21 ++++++------------- - .../modules/image/oci/registry/registry.c | 8 ++++++- - src/daemon/modules/image/oci/utils_images.c | 17 ++++++++++++++- - src/daemon/modules/image/oci/utils_images.h | 3 +++ - src/utils/cutils/utils.h | 2 -- - src/utils/sha256/sha256.c | 1 - - 7 files changed, 43 insertions(+), 23 deletions(-) - -diff --git a/src/daemon/modules/image/oci/oci_import.c b/src/daemon/modules/image/oci/oci_import.c -index 1e14a916..0568c23f 100644 ---- a/src/daemon/modules/image/oci/oci_import.c -+++ b/src/daemon/modules/image/oci/oci_import.c -@@ -93,7 +93,7 @@ static int register_layer(import_desc *desc) - return -1; - } - -- id = util_without_sha256_prefix(desc->uncompressed_digest); -+ id = oci_image_id_from_digest(desc->uncompressed_digest); - if (id == NULL) { - ERROR("Invalid NULL param"); - return -1; -@@ -315,8 +315,16 @@ static int register_image(import_desc *desc) - opts.create_time = &desc->now_time; - opts.digest = desc->manifest_digest; - -- image_id = util_without_sha256_prefix(desc->config_digest); -- top_layer_id = util_without_sha256_prefix(desc->uncompressed_digest); -+ image_id = oci_image_id_from_digest(desc->config_digest); -+ if (image_id == NULL) { -+ ret = -1; -+ goto out; -+ } -+ top_layer_id = oci_image_id_from_digest(desc->uncompressed_digest); -+ if (top_layer_id == NULL) { -+ ret = -1; -+ goto out; -+ } - ret = storage_img_create(image_id, top_layer_id, NULL, &opts); - if (ret != 0) { - pre_top_layer = storage_get_img_top_layer(image_id); -diff --git a/src/daemon/modules/image/oci/oci_load.c b/src/daemon/modules/image/oci/oci_load.c -index fd707330..31ae3849 100644 ---- a/src/daemon/modules/image/oci/oci_load.c -+++ b/src/daemon/modules/image/oci/oci_load.c -@@ -290,16 +290,6 @@ out: - return full_digest; - } - --static char *oci_load_without_sha256_prefix(char *digest) --{ -- if (digest == NULL) { -- ERROR("Invalid digest NULL when strip sha256 prefix"); -- return NULL; -- } -- -- return digest + strlen(SHA256_PREFIX); --} -- - static int registry_layer_from_tarball(const load_layer_blob_t *layer, const char *id, const char *parent) - { - int ret = 0; -@@ -345,7 +335,7 @@ static int oci_load_register_layers(load_image_t *desc) - } - - for (i = 0; i < desc->layers_len; i++) { -- id = oci_load_without_sha256_prefix(desc->layers[i]->chain_id); -+ id = oci_image_id_from_digest(desc->layers[i]->chain_id); - if (id == NULL) { - ERROR("layer %zu have NULL digest for image %s", i, desc->im_id); - ret = -1; -@@ -457,7 +447,7 @@ static int oci_load_create_image(load_image_t *desc, const char *dst_tag) - top_layer_index = desc->layers_len - 1; - opts.create_time = ×tamp; - opts.digest = desc->manifest_digest; -- top_layer_id = oci_load_without_sha256_prefix(desc->layers[top_layer_index]->chain_id); -+ top_layer_id = oci_image_id_from_digest(desc->layers[top_layer_index]->chain_id); - if (top_layer_id == NULL) { - ERROR("NULL top layer id found for image %s", desc->im_id); - ret = -1; -@@ -764,7 +754,7 @@ static int oci_load_set_layers_info(load_image_t *im, const image_manifest_items - } - parent_chain_id_sha256 = im->layers[i]->chain_id; - -- id = oci_load_without_sha256_prefix(im->layers[i]->chain_id); -+ id = oci_image_id_from_digest(im->layers[i]->chain_id); - if (id == NULL) { - ERROR("Wipe out sha256 prefix failed from layer with chain id : %s", im->layers[i]->chain_id); - ret = -1; -@@ -832,7 +822,8 @@ static load_image_t *oci_load_process_manifest(const image_manifest_items_elemen - goto out; - } - -- image_id = oci_load_without_sha256_prefix(image_digest); -+ // call util_valid_digest to ensure digest is valid, so image id is valid -+ image_id = oci_image_id_from_digest(image_digest); - if (image_id == NULL) { - ret = -1; - ERROR("Remove sha256 prefix error from image digest %s", image_digest); -@@ -872,7 +863,7 @@ static int64_t get_layer_size_from_storage(char *chain_id_pre) - return -1; - } - -- id = oci_load_without_sha256_prefix(chain_id_pre); -+ id = oci_image_id_from_digest(chain_id_pre); - if (id == NULL) { - ERROR("Get chain id failed from value:%s", chain_id_pre); - return -1; -diff --git a/src/daemon/modules/image/oci/registry/registry.c b/src/daemon/modules/image/oci/registry/registry.c -index 35753c79..4124281d 100644 ---- a/src/daemon/modules/image/oci/registry/registry.c -+++ b/src/daemon/modules/image/oci/registry/registry.c -@@ -877,7 +877,13 @@ static int register_image(pull_descriptor *desc) - - // lock when create image to make sure image content all exist - mutex_lock(&g_shared->image_mutex); -- image_id = util_without_sha256_prefix(desc->config.digest); -+ image_id = oci_image_id_from_digest(desc->config.digest); -+ if (image_id == NULL) { -+ ERROR("Invalid digest: %s", desc->config.digest); -+ isulad_try_set_error_message("invalid image digest: %s", desc->config.digest); -+ ret = -1; -+ goto out; -+ } - ret = create_image(desc, image_id, &reuse); - if (ret != 0) { - ERROR("create image %s failed", desc->image_name); -diff --git a/src/daemon/modules/image/oci/utils_images.c b/src/daemon/modules/image/oci/utils_images.c -index 4342db5b..f92ee59a 100644 ---- a/src/daemon/modules/image/oci/utils_images.c -+++ b/src/daemon/modules/image/oci/utils_images.c -@@ -691,4 +691,19 @@ int oci_split_search_name(const char *search_name, char **host, char **name) - - return 0; - } --#endif -\ No newline at end of file -+#endif -+ -+char *oci_image_id_from_digest(char *digest) -+{ -+ if (digest == NULL) { -+ ERROR("Empty digest"); -+ return NULL; -+ } -+ -+ if (!util_valid_digest(digest)) { -+ ERROR("Load image with invalid digest: %s", digest); -+ return NULL; -+ } -+ -+ return digest + strlen(SHA256_PREFIX); -+} -diff --git a/src/daemon/modules/image/oci/utils_images.h b/src/daemon/modules/image/oci/utils_images.h -index 2238bb91..ea0fb20a 100644 ---- a/src/daemon/modules/image/oci/utils_images.h -+++ b/src/daemon/modules/image/oci/utils_images.h -@@ -61,6 +61,9 @@ char *get_hostname_to_strip(void); - - char *oci_image_digest_pos(const char *name); - -+// return a pointer to digest string without 'sha256:' prefix -+char *oci_image_id_from_digest(char *digest); -+ - #ifdef __cplusplus - } - #endif -diff --git a/src/utils/cutils/utils.h b/src/utils/cutils/utils.h -index 83b20e5e..3acf0698 100644 ---- a/src/utils/cutils/utils.h -+++ b/src/utils/cutils/utils.h -@@ -388,8 +388,6 @@ int util_generate_random_str(char *id, size_t len); - - int util_check_inherited_exclude_fds(bool closeall, int *fds_to_ignore, size_t len_fds); - --char *util_without_sha256_prefix(char *digest); -- - int util_normalized_host_os_arch(char **host_os, char **host_arch, char **host_variant); - - int util_read_pid_ppid_info(uint32_t pid, pid_ppid_info_t *pid_info); -diff --git a/src/utils/sha256/sha256.c b/src/utils/sha256/sha256.c -index 54cc2862..4e692355 100644 ---- a/src/utils/sha256/sha256.c -+++ b/src/utils/sha256/sha256.c -@@ -388,7 +388,6 @@ char *sha256_full_digest_str(char *str) - char *util_without_sha256_prefix(char *digest) - { - if (digest == NULL || !util_has_prefix(digest, SHA256_PREFIX)) { -- ERROR("Invalid digest when strip sha256 prefix"); - return NULL; - } - --- -2.25.1 - diff --git a/0030-mask-proxy-informations.patch b/0030-mask-proxy-informations.patch deleted file mode 100644 index 6c74393..0000000 --- a/0030-mask-proxy-informations.patch +++ /dev/null @@ -1,123 +0,0 @@ -From ff67cabc3e3839ef4b539805ed54b5c826b6f446 Mon Sep 17 00:00:00 2001 -From: haozi007 -Date: Mon, 4 Sep 2023 15:19:36 +0800 -Subject: [PATCH 30/32] mask proxy informations - -Signed-off-by: haozi007 ---- - .../container_cb/execution_information.c | 86 ++++++++++++++++--- - 1 file changed, 74 insertions(+), 12 deletions(-) - -diff --git a/src/daemon/executor/container_cb/execution_information.c b/src/daemon/executor/container_cb/execution_information.c -index 2f3d3627..86bb2894 100644 ---- a/src/daemon/executor/container_cb/execution_information.c -+++ b/src/daemon/executor/container_cb/execution_information.c -@@ -176,24 +176,83 @@ out: - static int get_proxy_env(char **proxy, const char *type) - { - int ret = 0; -- char *tmp = NULL; -- -- *proxy = getenv(type); -- if (*proxy == NULL) { -- tmp = util_strings_to_upper(type); -+ int nret; -+ char *tmp_proxy = NULL; -+ char *col_pos = NULL; -+ char *at_pos = NULL; -+ size_t proxy_len; -+ const char *mask_str = "//xxxx:xxxx"; -+ -+ tmp_proxy = getenv(type); -+ if (tmp_proxy == NULL) { -+ char *tmp = util_strings_to_upper(type); - if (tmp == NULL) { - ERROR("Failed to upper string!"); -- ret = -1; -- goto out; -- } -- *proxy = getenv(tmp); -- if (*proxy == NULL) { -- *proxy = ""; -+ return -1; - } -+ tmp_proxy = getenv(tmp); -+ free(tmp); -+ } -+ -+ if (tmp_proxy == NULL) { -+ return 0; -+ } -+ -+ if (strlen(tmp_proxy) >= PATH_MAX) { -+ ERROR("Too long proxy string."); -+ return -1; -+ } -+ tmp_proxy = util_strdup_s(tmp_proxy); -+ -+ if (strcmp(NO_PROXY, type) == 0) { -+ *proxy = tmp_proxy; -+ return 0; -+ } -+ -+ // mask username and password of proxy -+ col_pos = strchr(tmp_proxy, ':'); -+ if (col_pos == NULL) { -+ ERROR("Invalid proxy."); -+ ret = -1; -+ goto out; -+ } -+ at_pos = strrchr(tmp_proxy, '@'); -+ if (at_pos == NULL) { -+ // no '@', represent no user information in proxy, -+ // just return original proxy -+ *proxy = tmp_proxy; -+ return 0; -+ } -+ -+ // first colon position must before than at position -+ if ((at_pos - col_pos) < 0) { -+ ret = -1; -+ goto out; - } - -+ // proxy with userinfo format like: 'http://xxx:xxx@xxxx.com' -+ // so masked proxy length = len(proxy) - (pos(@) - pos(:) + 1) + len(mask-str) + '\0' -+ proxy_len = strlen(tmp_proxy); -+ proxy_len -= (at_pos - tmp_proxy); -+ proxy_len += (col_pos - tmp_proxy) + 1; -+ proxy_len += strlen(mask_str) + 1; -+ *proxy = util_common_calloc_s(proxy_len); -+ if (*proxy == NULL) { -+ ERROR("Out of memory"); -+ ret = -1; -+ goto out; -+ } -+ *col_pos = '\0'; -+ nret = snprintf(*proxy, proxy_len, "%s:%s%s", tmp_proxy, mask_str, at_pos); -+ if (nret < 0 || nret >= proxy_len) { -+ ret = -1; -+ free(*proxy); -+ *proxy = NULL; -+ goto out; -+ } -+ - out: -- free(tmp); -+ util_free_sensitive_string(tmp_proxy); - return ret; - } - -@@ -340,6 +399,9 @@ static int isulad_info_cb(const host_info_request *request, host_info_response * - #endif - - pack_response: -+ free(http_proxy); -+ free(https_proxy); -+ free(no_proxy); - if (*response != NULL) { - (*response)->cc = cc; - } --- -2.25.1 - diff --git a/0031-add-testcase-for-isula-info.patch b/0031-add-testcase-for-isula-info.patch deleted file mode 100644 index 2777582..0000000 --- a/0031-add-testcase-for-isula-info.patch +++ /dev/null @@ -1,115 +0,0 @@ -From e40f451f5b919ba4154cc6005439f6b4370a7ac3 Mon Sep 17 00:00:00 2001 -From: haozi007 -Date: Mon, 4 Sep 2023 17:13:13 +0800 -Subject: [PATCH 31/32] add testcase for isula info - -Signed-off-by: haozi007 ---- - CI/test_cases/container_cases/info.sh | 95 +++++++++++++++++++++++++++ - 1 file changed, 95 insertions(+) - create mode 100755 CI/test_cases/container_cases/info.sh - -diff --git a/CI/test_cases/container_cases/info.sh b/CI/test_cases/container_cases/info.sh -new file mode 100755 -index 00000000..e6c03a49 ---- /dev/null -+++ b/CI/test_cases/container_cases/info.sh -@@ -0,0 +1,95 @@ -+#!/bin/bash -+# -+# attributes: isula info operator -+# concurrent: YES -+# spend time: 1 -+ -+####################################################################### -+##- Copyright (c) Huawei Technologies Co., Ltd. 2023. All rights reserved. -+# - iSulad licensed under the Mulan PSL v2. -+# - You can use this software according to the terms and conditions of the Mulan PSL v2. -+# - You may obtain a copy of Mulan PSL v2 at: -+# - http://license.coscl.org.cn/MulanPSL2 -+# - THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR -+# - IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR -+# - PURPOSE. -+# - See the Mulan PSL v2 for more details. -+##- @Description:CI -+##- @Author: haozi007 -+##- @Create: 2023-09-04 -+####################################################################### -+ -+curr_path=$(dirname $(readlink -f "$0")) -+data_path=$(realpath $curr_path/../data) -+source ../helpers.sh -+ -+function do_test_t() -+{ -+ check_valgrind_log -+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - stop isulad failed" && ((ret++)) -+ export http_proxy="http://test:123456@testproxy.com" -+ export https_proxy="http://test:123456@testproxy.com" -+ export no_proxy="127.0.0.1" -+ start_isulad_with_valgrind -+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - start isulad failed" && ((ret++)) -+ isula info | grep "Http Proxy" | grep "http://xxxx:xxxx@testproxy.com" -+ fn_check_eq "$?" "0" "check http proxy failed" -+ isula info | grep "Https Proxy" | grep "http://xxxx:xxxx@testproxy.com" -+ fn_check_eq "$?" "0" "check https proxy failed" -+ isula info | grep "No Proxy" | grep "127.0.0.1" -+ fn_check_eq "$?" "0" "check no proxy failed" -+ -+ check_valgrind_log -+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - stop isulad failed" && ((ret++)) -+ export http_proxy="https://example.com" -+ export no_proxy="127.0.0.1" -+ start_isulad_with_valgrind -+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - start isulad failed" && ((ret++)) -+ isula info | grep "Http Proxy" | grep "https://example.com" -+ fn_check_eq "$?" "0" "check http proxy failed" -+ isula info | grep "No Proxy" | grep "127.0.0.1" -+ fn_check_eq "$?" "0" "check no proxy failed" -+ -+ check_valgrind_log -+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - stop isulad failed" && ((ret++)) -+ export http_proxy="http//abc.com" -+ export no_proxy="127.0.0.1:localhost" -+ start_isulad_with_valgrind -+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - start isulad failed" && ((ret++)) -+ isula info | grep "Http Proxy" -+ fn_check_ne "$?" "0" "check http proxy failed" -+ isula info | grep "No Proxy" -+ fn_check_ne "$?" "0" "check no proxy failed" -+ -+ check_valgrind_log -+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - stop isulad failed" && ((ret++)) -+ export http_proxy="http//xxxx@abc:abc.com" -+ export no_proxy="127.0.0.1" -+ start_isulad_with_valgrind -+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - start isulad failed" && ((ret++)) -+ isula info | grep "Http Proxy" -+ fn_check_ne "$?" "0" "check http proxy failed" -+ isula info | grep "No Proxy" -+ fn_check_ne "$?" "0" "check no proxy failed" -+ -+ check_valgrind_log -+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - stop isulad failed" && ((ret++)) -+ unset https_proxy http_proxy no_proxy -+ start_isulad_with_valgrind -+ [[ $? -ne 0 ]] && msg_err "${FUNCNAME[0]}:${LINENO} - start isulad failed" && ((ret++)) -+ isula info | grep "Http Proxy" -+ fn_check_ne "$?" "0" "check http proxy failed" -+ isula info | grep "No Proxy" -+ fn_check_ne "$?" "0" "check no proxy failed" -+ -+ return $TC_RET_T -+} -+ -+ret=0 -+ -+do_test_t -+if [ $? -ne 0 ];then -+ let "ret=$ret + 1" -+fi -+ -+show_result $ret "basic info" --- -2.25.1 - diff --git a/0032-fix-oci-import-compile-error.patch b/0032-fix-oci-import-compile-error.patch deleted file mode 100644 index 2c4d64c..0000000 --- a/0032-fix-oci-import-compile-error.patch +++ /dev/null @@ -1,25 +0,0 @@ -From ff0bf5155c163c5230b3ac6d71e2dfc1ed6cfa01 Mon Sep 17 00:00:00 2001 -From: haozi007 -Date: Tue, 12 Sep 2023 17:24:24 +0800 -Subject: [PATCH 32/32] fix oci import compile error - -Signed-off-by: haozi007 ---- - src/daemon/modules/image/oci/oci_import.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/daemon/modules/image/oci/oci_import.c b/src/daemon/modules/image/oci/oci_import.c -index 0568c23f..058107a4 100644 ---- a/src/daemon/modules/image/oci/oci_import.c -+++ b/src/daemon/modules/image/oci/oci_import.c -@@ -33,6 +33,7 @@ - #include "utils_file.h" - #include "utils_timestamp.h" - #include "util_archive.h" -+#include "utils_images.h" - - #define IMPORT_COMMENT "Imported from tarball" - #define ROOTFS_TYPE "layers" --- -2.25.1 - diff --git a/0033-2188-Support-both-C-11-and-C-17.patch b/0033-2188-Support-both-C-11-and-C-17.patch deleted file mode 100644 index 3e59bf9..0000000 --- a/0033-2188-Support-both-C-11-and-C-17.patch +++ /dev/null @@ -1,60 +0,0 @@ -From bfd1b325eb93083ce4478c28aa61101ac553b458 Mon Sep 17 00:00:00 2001 -From: xuxuepeng -Date: Wed, 13 Sep 2023 02:16:12 +0000 -Subject: [PATCH 33/33] !2188 Support both C++11 and C++17 * Support both C++11 - and C++17 - ---- - cmake/set_build_flags.cmake | 11 ++++++++++- - test/fuzz/CMakeLists.txt | 13 ++++++++++++- - 2 files changed, 22 insertions(+), 2 deletions(-) - -diff --git a/cmake/set_build_flags.cmake b/cmake/set_build_flags.cmake -index 09c85c65..38069791 100644 ---- a/cmake/set_build_flags.cmake -+++ b/cmake/set_build_flags.cmake -@@ -3,7 +3,16 @@ set(CMAKE_C_FLAGS "-fPIC -fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -Wall -fP - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D__FILENAME__='\"$(subst ${CMAKE_SOURCE_DIR}/,,$(abspath $<))\"'") - - if (GRPC_CONNECTOR) -- set(CMAKE_CXX_FLAGS "-fPIC -std=c++17 -fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -Wall -Wno-error=deprecated-declarations") -+ include(CheckCXXCompilerFlag) -+ CHECK_CXX_COMPILER_FLAG("-std=c++17" COMPILER_SUPPORTS_CXX17) -+ if (COMPILER_SUPPORTS_CXX17) -+ message(STATUS "The compiler ${CMAKE_CXX_COMPILER} has C++17 support.") -+ set(CMAKE_CXX_VERSION "-std=c++17") -+ else() -+ message(STATUS "The compiler ${CMAKE_CXX_COMPILER} has no C++17 support. Use C++11.") -+ set(CMAKE_CXX_VERSION "-std=c++11") -+ endif() -+ set(CMAKE_CXX_FLAGS "-fPIC ${CMAKE_CXX_VERSION} -fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -Wall -Wno-error=deprecated-declarations") - set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -D__FILENAME__='\"$(subst ${CMAKE_SOURCE_DIR}/,,$(abspath $<))\"'") - endif() - set(CMAKE_SHARED_LINKER_FLAGS "-Wl,-E -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wtrampolines -shared -pthread") -diff --git a/test/fuzz/CMakeLists.txt b/test/fuzz/CMakeLists.txt -index 617a168f..0682ffa3 100644 ---- a/test/fuzz/CMakeLists.txt -+++ b/test/fuzz/CMakeLists.txt -@@ -34,7 +34,18 @@ MESSAGE(STATUS "GCLANG_PP_BINARY is set to ${GCLANG_PP_BINARY}") - SET(CMAKE_C_COMPILER "${GCLANG_BINARY}") - SET(CMAKE_CXX_COMPILER "${GCLANG_PP_BINARY}") - SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -g -O0 --coverage -fsanitize=fuzzer,address -fsanitize-coverage=indirect-calls,trace-cmp,trace-div,trace-gep") --SET(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -g -O0 --coverage -std=c++17 -fsanitize=fuzzer,address -fsanitize-coverage=indirect-calls,trace-cmp,trace-div,trace-gep") -+ -+include(CheckCXXCompilerFlag) -+CHECK_CXX_COMPILER_FLAG("-std=c++17" COMPILER_SUPPORTS_CXX17) -+if (COMPILER_SUPPORTS_CXX17) -+ message(STATUS "The compiler ${CMAKE_CXX_COMPILER} has C++17 support.") -+ set(CMAKE_CXX_VERSION "-std=c++17") -+else() -+ message(STATUS "The compiler ${CMAKE_CXX_COMPILER} has no C++17 support. Use C++11.") -+ set(CMAKE_CXX_VERSION "-std=c++11") -+endif() -+ -+SET(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -g -O0 --coverage ${CMAKE_CXX_VERSION} -fsanitize=fuzzer,address -fsanitize-coverage=indirect-calls,trace-cmp,trace-div,trace-gep") - SET(CMAKE_RUNTIME_OUTPUT_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}) - - SET(EXE0 test_volume_mount_spec_fuzz) --- -2.40.1 - diff --git a/iSulad.spec b/iSulad.spec index 7e148e1..6d9b3f0 100644 --- a/iSulad.spec +++ b/iSulad.spec @@ -1,5 +1,5 @@ -%global _version 2.1.3 -%global _release 6 +%global _version 2.1.4 +%global _release 1 %global is_systemd 1 %global enable_criv1 1 %global enable_shimv2 1 @@ -15,44 +15,26 @@ URL: https://gitee.com/openeuler/iSulad Source: https://gitee.com/openeuler/iSulad/repository/archive/v%{version}.tar.gz BuildRoot: {_tmppath}/iSulad-%{version} -Patch0001: 0001-2155-Use-reference-in-loop-in-listpodsandbox.patch -Patch0002: 0002-2156-Fix-sandbox-error-logging.patch -Patch0003: 0003-2158-Use-crictl-v1.22.0-for-ci.patch -Patch0004: 0004-2162-Fix-rename-issue-for-id-manager.patch -Patch0005: 0005-2163-add-bind-mount-file-lock.patch -Patch0006: 0006-2168-fix-code-bug.patch -Patch0007: 0007-2171-Fix-nullptr-in-src-daemon-entry.patch -Patch0008: 0008-Add-vsock-support-for-exec.patch -Patch0009: 0009-remove-unneccessary-strerror.patch -Patch0010: 0010-do-not-report-low-level-error-to-user.patch -Patch0011: 0011-remove-usage-of-strerror-with-user-defined-errno.patch -Patch0012: 0012-use-gmtime_r-to-replace-gmtime.patch -Patch0013: 0013-improve-report-error-message-of-client.patch -Patch0014: 0014-adapt-new-error-message-for-isula-cp.patch -Patch0015: 0015-2182-Add-mutex-for-container-list-in-sandbox.patch -Patch0016: 0016-2180-fix-execlp-not-enough-args.patch -Patch0017: 0017-2135-modify-incorrect-variable-type.patch -Patch0018: 0018-make-sure-the-input-parameter-is-not-empty-and-optim.patch -Patch0019: 0019-remove-password-in-url-module-and-clean-sensitive-in.patch -Patch0020: 0020-2153-fix-codecheck.patch -Patch0021: 0021-2157-bugfix-for-memset.patch -Patch0022: 0022-2159-use-macros-to-isolate-the-password-option-of-lo.patch -Patch0023: 0023-2161-bugfix-for-api-cmakelist.patch -Patch0024: 0024-2165-preventing-the-use-of-insecure-isulad-tmpdir-di.patch -Patch0025: 0025-2166-move-ensure_isulad_tmpdir_security-function-to-.patch -Patch0026: 0026-2169-using-macros-to-isolate-isulad-s-enable_plugin-.patch -Patch0027: 0027-2178-clean-path-for-fpath-and-verify-chain-id.patch -Patch0028: 0028-2179-modify-the-permissions-of-tmpdir-and-file-lock-.patch -Patch0029: 0029-image-ensure-id-of-loaded-and-pulled-image-is-valid.patch -Patch0030: 0030-mask-proxy-informations.patch -Patch0031: 0031-add-testcase-for-isula-info.patch -Patch0032: 0032-fix-oci-import-compile-error.patch -Patch0033: 0033-2188-Support-both-C-11-and-C-17.patch +Patch0001: 0001-sandbox-del-m_containers-and-m_containersMutex.patch +Patch0002: 0002-sandbox-adapt-UT-when-del-m_containers-and-m_contain.patch +Patch0003: 0003-Add-Readonly-Masked-Path-and-RunAsGroup-support-for-.patch +Patch0004: 0004-network-support-version-opt.patch +Patch0005: 0005-doc-support-version-opt.patch +Patch0006: 0006-2242-disable-grpc-remote-connect-by-default.patch +Patch0007: 0007-2244-Save-task-address-of-shim-v2.patch +Patch0008: 0008-2233-add-runc-append-function-design-doc.patch +Patch0009: 0009-2243-Refactor-capbilities-specs.patch +Patch0010: 0010-2245-fix-utils_verify_ut-failure-when-remote-grpc-fu.patch +Patch0011: 0011-add-runc-attach-implement.patch +Patch0012: 0012-add-runc-attach-implement-unit-test-and-ci-test.patch +Patch0013: 0013-support-gcov-of-CI.patch +Patch0014: 0014-compatibility-for-manage-pods-which-created-by-old-i.patch +Patch0015: 0015-2250-Remove-PERFMON-BPF-CHECKPOINT_RESTORE.patch +Patch0016: 0016-open-ENABLE_GRPC_REMOTE_CONNECT-in-CI.patch %ifarch x86_64 aarch64 Provides: libhttpclient.so()(64bit) Provides: libisula_client.so()(64bit) -Provides: libisulad_img.so()(64bit) Provides: libisulad_tools.so()(64bit) %endif @@ -76,8 +58,8 @@ Requires: sqlite BuildRequires: gtest-devel gmock-devel %endif -%define lcrver_lower 2.1.2-0 -%define lcrver_upper 2.1.3-0 +%define lcrver_lower 2.1.3-0 +%define lcrver_upper 2.1.4-0 BuildRequires: libisula-devel > %{lcrver_lower} libisula-devel < %{lcrver_upper} BuildRequires: cmake gcc-c++ yajl-devel lxc lxc-devel @@ -155,7 +137,6 @@ install -d $RPM_BUILD_ROOT/%{_libdir} install -m 0755 ./src/libisula_client.so %{buildroot}/%{_libdir}/libisula_client.so install -m 0755 ./src/utils/http/libhttpclient.so %{buildroot}/%{_libdir}/libhttpclient.so install -m 0755 ./src/libisulad_tools.so %{buildroot}/%{_libdir}/libisulad_tools.so -install -m 0755 ./src/daemon/modules/image/libisulad_img.so %{buildroot}/%{_libdir}/libisulad_img.so install -d $RPM_BUILD_ROOT/%{_libdir}/pkgconfig install -m 0640 ./conf/isulad.pc %{buildroot}/%{_libdir}/pkgconfig/isulad.pc @@ -168,7 +149,6 @@ install -m 0755 ./src/isulad-shim %{buildroot}/%{_bindir}/isulad-shim install -m 0755 ./src/isulad %{buildroot}/%{_bindir}/isulad install -d $RPM_BUILD_ROOT/%{_includedir}/isulad -install -m 0644 ../src/daemon/modules/api/image_api.h %{buildroot}/%{_includedir}/isulad/image_api.h install -d $RPM_BUILD_ROOT/%{_sysconfdir}/isulad install -m 0640 ../src/contrib/config/daemon.json %{buildroot}/%{_sysconfdir}/isulad/daemon.json @@ -285,7 +265,6 @@ fi %{_initddir}/isulad.init %attr(0640,root,root) %{_initddir}/isulad.init %endif -%{_includedir}/isulad/* %attr(0755,root,root) %{_libdir}/pkgconfig %attr(0640,root,root) %{_libdir}/pkgconfig/isulad.pc %defattr(0755,root,root,0755) @@ -303,6 +282,12 @@ fi %endif %changelog +* Tue Nov 14 2023 zhongtao - 2.1.4-1 +- Type: update +- ID: NA +- SUG: NA +- DESC: update to v2.1.4 + * Tue Sep 19 2023 zhongtao - 2.1.3-6 - Type: sync - ID: NA diff --git a/v2.1.3.tar.gz b/v2.1.4.tar.gz similarity index 58% rename from v2.1.3.tar.gz rename to v2.1.4.tar.gz index 3d5f114..38c66bc 100644 Binary files a/v2.1.3.tar.gz and b/v2.1.4.tar.gz differ